Menu
I've spring security custom rest filter which authenticate client request using the below logic.
Header Fields
Body
iOS client makes this request using POST and I have the expiration time set to 15 seconds in server.
Now the question is, If anyone use debugging tools like Charles or something else and if he happens to put the breakpoints in url and fire the same with in 15 seconds, the nonce will be valid and server process the request for the second time. How can I prevent this from happening. In this case, nonce is not going to work.
Whatever be the approach, if the hacker gets the final url that is about to be fired, it could be possible that he could fire it multiple times before the nonce expires......
How can I prevent this from happening?
Could anyone help me finding the best spring security implementation for this?
Also, is HTTPS by default protects us from replay attack ? Do we need ssl client side validation ( having der format certificate in build and validate this with server certificate ) to make replay attack work with https ? or is it available in https by default ?
In other words, I am using AFNetworking, Do we need to use SSL Pinning to make use of https replay attack ? or will it work without ssl pinning?
248
If you use HTTPS to call your REST API, then the protocol protects you from replay attacks at the network level. This means that someone cannot record some encrypted traffic and replay it successfully.
But if you are looking for a way to prevent legitimate clients from issuing the same request multiple times, you will either need to make those request idempotent or implement a replay mechanism in your business logic. You could do this by using a nonce. A nonce does not expire, but can only be used in a single transaction.
195
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
