We have a site that uses a "one-time" login process for password resets which are not initiated by the user themselves. (for instance, a password reset that is initiated by an admin or another employee) A URL is sent to the user via email which can then be used to reset their password. The URL can only be visited one time. (there's more to this for security-sake but I'll keep it simple) Recently, some users have complained that when they visit the link, it has already expired. The end result is that they can't reset their passwords using this feature. We discovered that the users in question have a spam filter or "link checker" in their environment that they do not have access to. This device visits the one-time link before the user is able to, to make sure its safe.
I'm trying to solve this issue and was wondering if there's a way I can detect these type of devices on the web server when the request is made? When the spam filter visits the link, is there something in the http request that would stand apart from a regular browser? Maybe they all use a specific custom HTTP header? Or maybe there's a regex I could use on the user agent? I haven't been able to catch one of these yet, so I'm not sure what the request looks like coming from a spam filter.
Anyone know of a way to detect spam filters of any vendor by looking at the http requests? I know it's a long shot but maybe they all use a specific header for reasons such as this?
I got approval to modify the design to remove the one-time aspect of the URL. This solves the issue and saves me the headache. Thanks for the suggestion, #PeeHaa
Related
Suppose I have an account created on a website (in specific, a PS Network account or Google account), and I only know the login email, but not the password (with no access to the Google account in the PSN case).
Is there a way for me to verify if a given password is the correct one using only HTTP requests or something similar using code? This is to save me the time of trying multiple passwords and having to wait for a server response until I find the right one.
Details:
I'm not trying to hack into someone's account.
I tried to log in to a secondary PSN account I created years ago but I didn't know the password, only the email (I also created a specific google account/email for this purpose, so I don't remember its password either). Even though I don't remember the exact password, I know which combinations of specific words and numbers I might have used back then. But I want to run through "all" the possible combinations with code, instead of doing it manually, to save time and effort. Is there any URL to which I can make POST requests to try and log in using only email and password in the request body, and verify if login was successful? (either on PSN or Google, either one will give me my PSN account back)
Thanks in advance
I tried looking for REST API and URLs that allow me to do this, but it seems to me that Google in specific has gone strict on this, requiring more than just address and password. For the PSN account, I tried to sniff around using developer tools to watch which URLs are requested when I try to login using the Sony website interface, but I can't understand which requests are doing what.
What you want to do is a popular method for hacking account access. it is called bruit force where by the hacker you continues to try passwords over and over again until they gain access. A dictionary file is often used containing combinations of specific words and numbers
No system is going to have an endpoint that will make it easier for hackers to gain access to user accounts by force.
May I suggest using a reset password account recovery option available through most login services these days.
instead of trying to bruit force your way in. Most authorization servers will lock an account after 5 bad attempts.
we are trying to build an application which is accessable via onetime passwords without a "user" having the need to register.
We did came accross the term magic-links sent via email, but there is only some old experimental keycloack extention for this.
Is there any way to build some auth flow like the following with keycloack?
User A is a fully registered User creating some document. This document needs some interaction with a Third Party Person (TPP) not registered.
Now User A sends an E-Mail invite to the TPP with a link to the document. When the TPP opens the link our application should ask for the email address and send a magic link or code to this email. Whith that email or magic code the user gets access to the document for the time it takes to complete the approval process. After the work of the TTP is done, the access should expire (or expire automatically after X days not used).
It does sound quite similar to what is possible with SaaS offerings like https://magic.link/ or https://www.arengu.com/ but we are using keycloack and would like to integrate it into it as well.
Does anyone have an idea how to achieve this with keycloak?
I know this is outdated, but perhaps someone else coming along may find this useful. There is a newer implementation of this feature provided here: https://github.com/p2-inc/keycloak-magic-link
We have found it usable and useful for our needs and works well in the latest version of Keycloak (18.x).
I am currently learning to make DRF APIs for something I am working on. I was wondering how exactly I would secure the API POST requests I send via the client side?
For example, let's say I have a log in form where the user can enter their information, this information needs to be send to (or POST-ed to) my API for verification. I do not want just anyone sending requests to the server and so, I would want to use an API key but since this is being done on a website, anyone could see the API key if they wanted to, and then exploit the server by sending a ton of requests.
My current idea is to use serializes in DRF to check if the API POST request has everything it needs but I am fairly certain this can be easily found by checking what sort of JSON my code sends to the server, so how exactly do I go about securing this such that I can send the information to the bare domain (like http://127.0.0.1:8000) and then have code which can accept that information?
I apologize for any confusion, if it is confusing. Let me know if you need any clarification.
If you are creating API any one can send request to server. same goes for website and webpage. Their is no way you can avoid this. But their are ways to handle possible misuse.
like using CAPTCHA for login form which can be filled by one on the web. though wrong CAPTCHA text can be send by anyone you must check it on server for their correctness. or use google reCAPTCHA like services for outsourcing this task.
API key should be given after login NOT before login. and if it is given after successful login then the key is obtained by legitimate user which can obviously do whatever he is allowed to do on website. their should not be problem in that.
further explanation to the question will lead to details of denial-of-service i.e DOS attack. you should consult expert on that field if your application requires to handle DOS attack.
I am into a strange fix with my site.
Firstly, my site is password protected. So, when I visit, http://www.mysite.com it is greeted with a nice shiny login page. User puts in the credentials and goes in.
Now, I am hoping that for some special people, they don't have to login. For that I need to have some specific URL, say, http://www.mysite.com/bypass which takes me to the site without any login page.
Is it possible?
Many Thanks
It should be possible, but I wouldn't recommend it. A good option would be to just tell those special people to have their browser save the password.
To actually implement what you want - to log in without login credentials you'd have to do something like what "drush user-login" does. It creates a one-time link that allows anyone to become "logged in". It's the same functionality as the password reset link. You could probably detect the (type of) link and re-route it to the http://www.mysite.com/bypass address.
In the end it's best just not to do it.
I have this question in mind and I wanted to get other developer's opinion on this issue.
For creating a user (like in Facebook or creating an account in Gmail), some people suggested to have an public/private (means we don't tell developers how to use it) action in API for it. I, however, think it is a security risk as even if it is not documented, a hacker can simple see the calls and http requests when our front-end app is using that api action to create a new user (using a web debugger like fiddler) and can find the url to that action so simple ! like this POST ~/api/user/create
and then he/she can send thousands of requests to create user, users needs to be verified but still he/she is adding a lot of junk users in our database and puts a lot of pressure on our servers.
So the question is how do we handle this? Allow this only on our website or what?
Thanks
You can use CAPTCHA to verify that's a real user.