0

I have two web applications which need to communicate data between them, for example when an employee is added in Application A, i make a CURL request / POST request ** and pass some of the employee data and Store it in **Application B.

The functionality is working fine, now i want to make the request flow secure, these two application i.e. Application A and Application B are on two different WebServers built on different technologies. One in PHP and Other in Java.

So when a record is added in PHP i send CURL request and save data in java. **The PHP application is built for distribution which would be sent to the end users.**

How i can make sure that the POST requests i send are secure. Any ideas?

opensource-developer
  • 2,826
  • 4
  • 38
  • 88
  • May help you: [How to secure sending Post data through cURL?](http://stackoverflow.com/questions/22477266/how-to-secure-sending-post-data-through-curl) – Debflav Aug 27 '14 at 07:27

2 Answers2

1

How i can make sure that the POST requests i send are secure.

Well, the answer depends. Who do you want to make the requests secure from? What kinds of attacks are you worried about? I'll go through a few possible vectors here:

The End User

It is impossible to protect against an end user attacking your system.

Given that you're distributing the application to them, and they control the networking stack, it's literally impossible to 100% protect against the user from doing something nefarious.

You could obfuscate the source, and do all sorts of tricks to make it harder, but ultimately if the user has the program, and its running on their hardware, they can do what they want with it. Including attempting to extract encryption or authentication keys from the application.

An External Attacker

To protect against an external attacker without access to either system, there are some steps to take.

  1. Use SSL for the communication.

    This encrypts the traffic so that an attacker cannot see or modify the data in transit.

  2. Use certificate pinning

    In the application that you ship to the client, include a copy of the certificate that you use for your server. That way you can detect an attacker who tries to masquerade as your server (via DNS spoofing, or other attacks).

  3. Verify SSL Peers.

    This forces CURL to check the certificates to ensure they match.

  4. Authenticate the client using secure cryptography

    Generate a public key / private key pair. Store the private key on the client, and the public key on the server.

    When issuing a request, sign it using the private key, the time of the request.

    On the server, when you get the request, validate that the request time is greater than the last seen request (to prevent replay attacks). Then validate the signature using the private key, then store the request time as the last seen request.

Don't roll your own crypto. It won't help. Security Through Obscurity is not security. At least when it involves cryptography...

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
0

Here are some points which may result in surity of secure data transfer:

  • Use of SSL requests will be helpful.
  • Use an app token which will only known to applications. So while receiving and sending data you verify that token.
  • Try encrypted data transfer using some mechanism known to applications only, if don't want to use SSL.
  • Your own Algorithm to encrypt decrypt the request and its parameters, which only the receiving, sending applications will be knowing.
  • Many more..
Coder anonymous
  • 917
  • 1
  • 8
  • 25
  • Thanks Coder for your reply, Actually the PHP application is built to be distributed for other to use. So how can i make tokens that both application know. – opensource-developer Aug 27 '14 at 07:30
  • @opensource-ios , make an encryption algorithm (not really complex, just make sure it's not simple base64 or str_rot, combine them, add delimiters etc.), as far as PHP is concerned, it may be distributed to other use but the technique you're using on your server is only for you. (server-side data stays server-side unless you leave some security flaws open). Do the same algorithm back in your java application and decode the data on arrival. This way, if others can intercept data, they will get it encoded while having no algorithm to decode. They will surely try some basic decoding though. – Eduard Aug 27 '14 at 07:39
  • Hi Edduvs, Thanks for your repl, I am a bit confued, if i implement the encryption alogirth on PHP side, any one who check the source code will be able to encrypt the data rite and send requests? – opensource-developer Aug 27 '14 at 07:48
  • use a predefined algorithm which will generate a code on runtime just before sending a request and then the app receiving it will only have the decoding algorithm for that code. – Coder anonymous Aug 27 '14 at 10:48
  • Just like the payment gateways..they apply the same mechanism, they provide a algorithm to generate a code to send along with request or to encrypt request params with it, which they decode while receiving request data. – Coder anonymous Aug 27 '14 at 10:50