Parse.com 应用程序上的拒绝服务攻击 [英] Denial of Service attack on Parse.com app
问题描述
我正在编写一个小型网络应用程序,因为我正在学习使用 Parse.com 的功能.
I'm writing a small web application as I'm learning to use the features of Parse.com.
由于 application_id 和 javascript_key 都是公开的(如文档中所述),这意味着任何人都可以自由运行如下代码段所示的代码:
Since application_id and javascript_key are both public (as explained in the doc), it means anyone is free to run code like illustrated in the following snippet:
function sendRequest(){
var query = new Parse.Query(Parse.User);
query.find({
success: function(results) {
console.log("Request sucessful");
},
error: function(error) {
console.log("Request error: " + error.code + " " + error.message);
}
});
}
setInterval(sendRequest, (1000 / hitsPerSecond));
我认为它很容易导致DOS"攻击 - 任何愿意关闭此应用程序的人只需要恢复公钥并发送大量请求即可.
I think it can lead to "DOS" attacks pretty easily - anyone willing to bring this app down would only need to recover the public keys and send lots of requests.
编辑帐户有请求/秒限制,免费计划从 30 开始,但使用这个简单的脚本可以使任何订阅计划饱和.
edit Accounts have a request/s limit, free plan begins at 30, but using this simple script can saturate any subscription plan.
认为这是正确的 - 对此有什么好的做法吗?有什么适用的模式吗?
considering this is correct - is there any good practice against this? Any pattern to apply?
提前致谢,
推荐答案
是的,你的 Parse JavaScript 键是 public
它们必须在可以公开访问的 JavaScript 文件中定义.
Yes, your Parse JavaScript keys are public
They have to be defined inside your JavaScript files, which can be openly accessed.
并不是说您不能通过应用
It is not said that you can't try to hide your keys by applying the principles of
您可以加密您的密钥并将解密函数放在您的 JavaScript 中.您可以通过将该函数隐藏在一个没人喜欢的大而讨厌的脚本中间,然后缩小您的 JavaScript(无论如何您都应该这样做)来进一步使其更难找到.我相信有可能变得更有创意"并达到一些合理的完美:-)
You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)
但是,原则上,一个有足够动机的黑客仍有可能逆向工程您的程序并获得密钥.你仍然可以让它变得足够难,所以黑客可能会寻找更容易的目标,据我们所知,其中有很多;-)
It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)
无论您是否应用了之前的原则,您的黄金法则应该是尽可能地收紧您的 Parse(或任何其他服务器)权限.
Whether you applied the previous principles or not, your golden rule should be to tighten your Parse (or any other sever for that matter) permission as much as possible.
这将防止诸如数据被破坏之类的坏事,这比 DoS 攻击更糟糕.
This will prevent bad things like your data getting destroyed, which is worse than DoS attack.
这仍然会允许任何知道您的密钥的人滥用它们——不仅是通过 DoS——而且还有更令人不快的事情,例如将其他人的签名作为用户并向毫无戒心的受害者发送确认电子邮件流.而且由于您可能希望允许新用户签名,因此您无法真正保护自己免受这种滥用(除了上一段的方法").
That would still permit anyone know your keys to abuse them - not only by DoS - but also more unpleasant things like signing other people's as user and unleashing a stream of confirmation emails to the unsuspecting victims. And since you probably want to allow new users to sign, you can't really protect yourself from this abuse (except the "methods" of previous paragraph that is).
几年前,我实际上在 Parse 论坛上问过这个问题,他们的回答是,如果发生这种情况,他们会进行调查.
A few years ago I actually asked that question on Parse forum and their answer was that, should that happen, they would look into that.
最后,假设您的站点业务很关键,并且您不能从 Parse 等待实际发生的情况(并不是说它们会很慢 - 我真的没有这种情况的经验).
Finally, assume your site business is critical and you can't afford to wait from Parse in case that actually happens (it is not to say they would be slow - I really have no experience with that situation).
然后您可以做的是注册其他几个应用程序密钥以备后备并保留您网站的副本,以便您可以快速将用户转移到那里.或者只转移其中的一部分.
What you can then do is register several other application keys for a fall-back and keep the copy of your site, so you can quickly divert your users there. Or only divert some of them.
这篇关于Parse.com 应用程序上的拒绝服务攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
