0

I'm writing an app that make some calls to my API that have restrictions. If users were to figure out what these url routes were and the proper parameters and how to specify them, then they could exploit it right?

For example if casting a vote on something and I only want users to be able to cast one vote, a user knowing the route:

get '/castvote/' => 'votemanager#castvote'

could be problematic, could it not? Is it easy to figure out these API routes?

Does anyone know any ways to remove the possibility of this happening?

Gupta
  • 5,122
  • 3
  • 27
  • 46
Riptyde4
  • 4,214
  • 7
  • 25
  • 51
  • 1
    One might make an access to API password/key restricted and call it from inside the app using password/key not known to the end user. – Aleksei Matiushkin Jan 12 '16 at 07:24
  • The common approach for this problem is to check if the current_user has the right to access a certain route. – spickermann Jan 12 '16 at 07:25
  • In Additional to what @spickermann have said you can use `access token` to determine which user have the rights to access certain data. – Little Phild Jan 12 '16 at 07:31

4 Answers4

1

There is no way to hide AJAX calls - if nothing else, one just needs to open Developer Tools - Network panel, and simply see what was sent. Everything on clientside is an open book, if you just know how to read it.

Instead, do validation on serverside: in your example, record the votes and users that cast them; if a vote was already recorded by that user, don't let them do it again.

Amadan
  • 169,219
  • 18
  • 195
  • 256
0

Your API should have authorization built into it. Only authorized users having specific access scopes should be allowed to consume your API. Checkout Doorkeeper and cancancan gems provided by the rails community.

Rubysmith
  • 1,138
  • 8
  • 12
0

As others have said, adding access_tokens/username/password authorisation is a good place to start. Also, if your application should only allow one vote per user, then this should be validated by your application logic on the server

maniacalrobot
  • 2,203
  • 1
  • 16
  • 20
0

This is a broader problem. There's no way to stop users from figuring out how voting works and trying to game it but there are different techniques used to make it harder. I list some solutions from least to most effective here:

  1. Using a nonce or proof of work, in case of Rails this is implemented through authenticity token for non-GET requests. This will require user to at least load the page before voting, therefore limiting scripted replay attacks
  2. Recording IP address or other identifiable information (i.e. browser fingerprinting). This will limit number of votes from a single device
  3. Requiring signup. This is what other answers suggest
  4. Requiring third-party login (i.e. Facebook, Twitter)
  5. Require payment to cast a vote (like in tv talent shows)

None of those methods is perfect and you can quickly come up with ways to trick any of them.

The real question is what your threat model and how hard you want it to make for users to cast fake votes. From my practical experience requiring third-party login will ensure most votes are valid in typical use cases.

Community
  • 1
  • 1
Mike Szyndel
  • 9,787
  • 7
  • 41
  • 61