1

We have a PHP REST API and an angularjs client.

We don't have and won't have any native clients, only the browser.

an attacker has made a fake website with fake accounts doing all payments with it and we're on the goal to prevent that.

Now we found a way to prevent a website server from accessing our API and the browser can't make the cross-domain request but nothing prevents an attacker from making a desktop app that accesses our API.

How to detect that the client is a browser and not a native client ?

PS

I know that browsers can be embedded in desktop apps and for now I'm ok with that, just not a pure native client.

timiTao
  • 1,417
  • 3
  • 20
  • 34
niceman
  • 2,653
  • 29
  • 57
  • 2
    You cannot: A browser is a native client. – KIKO Software Mar 13 '18 at 10:14
  • 1
    I think your problem is somewhere in the separation of functionalities between your frontend and your backend code. If the security relevant functionalities would be all on the server side, why would your care if an *attacker* would create a desktop APP for your users to use? He can only control the frontend. Also you can warn your users from his maleware to prevent them from harm. – Philipp Maurer Mar 13 '18 at 10:27

1 Answers1

0

The only way to achieve this result is to do a challenge-response mechanism with Javascript so a "native client" would have to parse and evaluates the result, which is difficult without embedding a browser or Javascript V8 engine.

Just print in the JavaScript a token by PHP and then JS would have to do cryptographic calculations. More is polymorphic more it will be difficult to implement an automated bot without an embedded browser.

However, you cannot stop a native application with a JavaScript interpreter like V8 engine by google (which is heavy in size but really fast)

timiTao
  • 1,417
  • 3
  • 20
  • 34
GrowingBrick
  • 731
  • 4
  • 12
  • I don't understand your answer – niceman Mar 13 '18 at 13:02
  • So... your PHP should generate a token and put it in JavaScript echoing it. Then JS code, when runned in the browser must do some calculations on the token and generate a response that PHP can mark as valid when the API request is done. This calculation should not be a simple static hashing because a native client could reproduce it without running the JS code. Instead it should be very dynamic. It is not an easy task, so you really need it? – GrowingBrick Mar 13 '18 at 13:06