Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing replay REST url's replay attack

I've spring security custom rest filter which authenticate client request using the below logic.

Header Fields

  1. Date in header
  2. hmac hashed signature

Body

  1. hmac encrypted data

iOS client makes this request using POST and I have the expiration time set to 15 seconds in server.

Now the question is, If anyone use debugging tools like Charles or something else and if he happens to put the breakpoints in url and fire the same with in 15 seconds, the nonce will be valid and server process the request for the second time. How can I prevent this from happening. In this case, nonce is not going to work.

Whatever be the approach, if the hacker gets the final url that is about to be fired, it could be possible that he could fire it multiple times before the nonce expires......

How can I prevent this from happening?

Could anyone help me finding the best spring security implementation for this?

Also, is HTTPS by default protects us from replay attack ? Do we need ssl client side validation ( having der format certificate in build and validate this with server certificate ) to make replay attack work with https ? or is it available in https by default ?

In other words, I am using AFNetworking, Do we need to use SSL Pinning to make use of https replay attack ? or will it work without ssl pinning?

like image 248
Kenshin Avatar asked Dec 14 '22 06:12

Kenshin


1 Answers

If you use HTTPS to call your REST API, then the protocol protects you from replay attacks at the network level. This means that someone cannot record some encrypted traffic and replay it successfully.

But if you are looking for a way to prevent legitimate clients from issuing the same request multiple times, you will either need to make those request idempotent or implement a replay mechanism in your business logic. You could do this by using a nonce. A nonce does not expire, but can only be used in a single transaction.

like image 195
MvdD Avatar answered Jan 14 '23 05:01

MvdD