I'm developing an API where a website owner submits their website url to a database, when the user uses the API the javascript hostname gets sent to our database and gets checked against the string they submitted when registering. Is it possible for a malicious user to spoof their hostname? If so, are there safer practices?
Asked
Active
Viewed 2,257 times
1
-
2I'm not sure I understand. I could choose to send you an arbitrary string without having to 'spoof' anything. – Jul 08 '11 at 03:08
-
The API checks your hostname against the string via javascript. – Trevor Jul 08 '11 at 03:15
-
maybe document.domain would be better? http://stackoverflow.com/questions/4226111/javascript-difference-between-location-hostname-and-document-domain – Ben Jul 08 '11 at 03:21
-
@Ben, that can likewise be changed. – Michael Aaron Safyan Jul 08 '11 at 03:23
-
What are you trying to do with this? What sort of information are you trying to verify? – Michael Aaron Safyan Jul 08 '11 at 03:24
1 Answers
3
Anyone can send an arbitrarily constructed HTTP request; the referer headers or the properties of window.location cannot be trusted (even if the user cannot change the contents of window.location in their browser -- at least not without causing a navigation -- the user can always observe what requests get generated as a result of that value, and then send an HTTP request with that altered).
If that will be an issue, then you will probably want to use digital signatures along with the domain to ensure that the domain has not been altered (i.e., changing the domain without changing the signing token will render the request invalid, and generating a signing token from the domain is not obvious and requires some server-side backend mechanism that you provide to the customers of your API).
Michael Aaron Safyan
- 93,612
- 16
- 138
- 200