对Parse.com应用程序的拒绝服务攻击 [英] Denial of Service attack on Parse.com app
问题描述
在学习使用Parse.com的功能时,我正在编写一个小型Web应用程序.
I'm writing a small web application as I'm learning to use the features of Parse.com.
由于 application_id 和 javascript_key 都是公开的(如文档中所述),这意味着任何人都可以自由运行以下代码段所示的代码:
Since application_id and javascript_key are both public (as explained in the doc), it means anyone is free to run code like illustrated in the following snippet:
function sendRequest(){
var query = new Parse.Query(Parse.User);
query.find({
success: function(results) {
console.log("Request sucessful");
},
error: function(error) {
console.log("Request error: " + error.code + " " + error.message);
}
});
}
setInterval(sendRequest, (1000 / hitsPerSecond));
我认为它很容易导致"DOS"攻击-任何愿意关闭该应用程序的人都只需恢复公钥并发送大量请求.
I think it can lead to "DOS" attacks pretty easily - anyone willing to bring this app down would only need to recover the public keys and send lots of requests.
编辑帐户有请求限制,免费套餐从30开始,但是使用此简单脚本可以使任何订阅计划饱和.
edit Accounts have a request/s limit, free plan begins at 30, but using this simple script can saturate any subscription plan.
考虑到这是正确的-是否有针对此的良好实践?有任何适用的模式吗?
considering this is correct - is there any good practice against this? Any pattern to apply?
预先感谢
推荐答案
是的,您的Parse JavaScript键是 public
必须在您的JavaScript文件中定义它们,这些文件可以公开访问.
Yes, your Parse JavaScript keys are public
They have to be defined inside your JavaScript files, which can be openly accessed.
并不是说您不能尝试通过应用
It is not said that you can't try to hide your keys by applying the principles of
您可以加密密钥并将解密功能直接放在JavaScript中.通过将该功能隐藏在一个没人喜欢的大型讨厌脚本的中间,然后缩小您的JavaScript (无论如何,您应该这样做),可以进一步增加查找难度. 我相信有可能获得更多的创造力"并达到合理的完美程度:-)
You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)
但是,从原理上讲,对于一个动机十足的黑客来说,仍然有可能进行逆向工程并获取密钥.仍然可以使它变得足够困难,因此黑客可能会寻找更容易的目标,据我们所知,目标很多;-)
It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)
无论您是否采用了先前的原则,您的黄金法则都应该是尽可能严格地限制解析"(或与此有关的任何其他服务器)权限.
Whether you applied the previous principles or not, your golden rule should be to tighten your Parse (or any other sever for that matter) permission as much as possible.
这将防止诸如数据之类的不良事件被破坏,这比DoS攻击更严重.
This will prevent bad things like your data getting destroyed, which is worse than DoS attack.
这仍将允许任何人知道您的密钥(不仅是通过DoS来滥用它们),而且还可以进行更不愉快的事情,例如以用户身份签名他人并向毫无戒心的受害者释放确认电子邮件流.而且,由于您可能希望允许新用户签名,因此您无法真正保护自己免受这种滥用(上一段的方法"除外).
That would still permit anyone know your keys to abuse them - not only by DoS - but also more unpleasant things like signing other people's as user and unleashing a stream of confirmation emails to the unsuspecting victims. And since you probably want to allow new users to sign, you can't really protect yourself from this abuse (except the "methods" of previous paragraph that is).
几年前,我实际上在Parse论坛上问了这个问题,他们的回答是,如果发生这种情况,他们会对此进行调查.
A few years ago I actually asked that question on Parse forum and their answer was that, should that happen, they would look into that.
最后,假设您的站点业务至关重要,并且在发生实际情况时您就不能等待Parse(并不是说它们会很慢-我真的没有这种情况的经验).
Finally, assume your site business is critical and you can't afford to wait from Parse in case that actually happens (it is not to say they would be slow - I really have no experience with that situation).
然后您可以做的是注册其他几个应用程序密钥以进行备用,并保留网站的副本,以便您可以快速将用户转移到该站点.或仅转移其中一些.
What you can then do is register several other application keys for a fall-back and keep the copy of your site, so you can quickly divert your users there. Or only divert some of them.
这篇关于对Parse.com应用程序的拒绝服务攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
