I want to support ip based whitelisting in one of the java web-service. To implement that i have written a servlet filter in which i am verifying if the remote-machine-ip belong to the whitelisted ips. To determine the remote-machine-ip i am using the following code :-
String ipAddress = httpServletRequest.getRemoteAddr();
I want to know if there is way by which remote-machine-ip can be impersonated by the attacker without going inside the remote machine. if yes then is there a better secure way to determine the remote ip ?
There is a way, however, it's not an easy way, see this answer for more details.
Remember that httpServletRequest.getRemoteAddr() will be no good if you deploy your app behind a proxy or a CDN. In that case, you'd have to check the X-FORWARDED-FOR header and then it's easy to forge that.
Related
I want to add custom IPV4 dns like 1.1.1.1 in my android or flutter app
it means that all of the traffic of my application such as firebase/glide/retrofit have to route from my custom dns
how should i implement this ?
i'd already tried some ways in NDK to set DNS for whole android device
but i dont want to touch android DNS , just my application should use that dns
What are you trying to achieve?
This looks like a XY problem. You are probably trying to achieve something we don't know with your custom DNS (like replacing a request to a certain host with a different server), but we don't know for sure because you think changing the DNS server to your app will be a better solution for whatever problem you have, but the fact is that it is very hard.
While technically feasible, it is extremely challenging.
It is not possible to change the DNS just for one application, as the DNS configuration is global to the device, so any network request will use the DNS servers of the device by default.
The only possible way of implementing this would be reinventing the wheel: using DnsResolver to manually query the DNS server for each of the target hosts, and then making requests to the specific IP addresses.
But with HTTP you will find out that if you make a request to an IP address, that IP address will be the origin header instead of the domain name, and the only solution to that would be using bare sockets and implementing all the HTTP payloads and headers manually to give a different origin.
It won't work with Firebase and other closed source SDKs as well, since you cannot modify them. It would only work for requests sent by your own code, or SDKs allowing you to change the server address.
I am working on an application where the app should able to read/fetch the emails from a smtp server. The problem is the ports may differ in different environment. Is there any way to connect to smtp/pop (microsoft exchage) server without knowing the port. Any information might be helpful because of I am new to this javamail api's.
There are standard ports for these services, which JavaMail uses by default. It's relatively rare that one of these services will use a non-standard port. But you do need to know whether the service requires SSL or not, and there are two standard ports used for SMTP. You could easily write code that tries all the common ports and you would probably cover 99.99% of the cases.
I don't think that would be possible. Each port serves a different purpose.
What you can do is read your port number from an external property file, so that your code becomes environment independent, and then you just have to change the value in your property file which placed outside your deployed war/jar
This way, your port no value could be environment specific without having to change your code.
I'm building an android application which uses a PHP web service (I am building this also).
My question is, how do I prevent unauthorised users using my webservice? For example, could someone get the address of my web service and use it outside of my app (e.g. sending post variables to my service)?
Another related question is how do I prevent spam requests on my webservice? Would it be a case of logging the IP address and limiting the amount of calls?
You can use an HTTPS connection between the Android device and your webservice API endpoint.
Limit you webservice so that it accept only HTTPS connections. You can easily do this using Apache (perhaps using the SSLRequireSSL directive) or directly in your PHP connection handler.
While using an HTTPS transport stream, you can pass specific arguments when making an API call to your webservice to ensure the request has been sent from your application. Nobody will be able to know what specific data are transmitted and will not be able to reproduce an acceptable connection to your remote service.
Regarding your second question, you can indeed limit the number of requests for a given amount of time. Either in PHP or by using specific tools such as fail2ban.
PHP can receive data via POST or GET out of your site and even the internet browser. One of the methods used to do this is by curl.
To what are you referring to this question is known as Cross-site request forgery.
If you are able, you should implement the use of HTTPS in your app and this could solve many security problems.
In case you can not use HTTPS (whether it is expensive or any other problem):
You must verify the information received by POST or GET in your PHP, this language has much ability to solve these "problems"; Take a look at this part of the PHP official documentation.
Suppose you're building a login system:
Also you can add in the login page place a hidden element with secret unique code that can happend only once, save this secret code in session, so, the loging script look in session for this code, compare with what was posted to the script, should same to proceed.
And, if you want to get the IP address of your visitors:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Finally, read this.
EDIT
If you can't pay an HTTPS certificate, (as Halim Qarroum says) you can use:
Self signed SSL certificates,
which are free.
Of course this has its advantages and disadvantages
What I mean is like servers on video games. You can run an application and it will set up a server on your computer with an IP and a port.
For example, how would you make an application where one host application sets up a thing where it has an IP and a port, and another computer that has access to the internet as well can type in the IP and port and it would be able to communicate with the host? I mean simple communication, like sending a boolean or String.
And would there be any security problems that would be needed to fix?
I guess I grasp the concept of your question...
You want two computers to connect via internet right? If that is the case, then you will have to use a thing called "sockets" that do connections between computers. About the server thing, well, for starters the client must always know what IP the server as (direct IP or by a DNS), and then you can connect your client to your server. There is a tutorial for sockets at the java pages: http://download.oracle.com/javase/tutorial/networking/sockets . About security issues, well, you must make sure that your server can handle anything that comes from the client (i really mean everything), i mean, accepting every type of data that is supposed to receive and deny everything that is not (trash per say). If you have that in mind then there is no problem (and of course, the server must have a firewall also to control the sockets, but that's not up to you).
Here is an example of how to use sockets to send a string from a server to a client.
http://www.java2s.com/Code/Java/Network-Protocol/StringbasedcommunicationbetweenSocket.htm
The site has about 20 examples of how to do what you are trying to do. In general I find this site to be the best JAVA resource that I know.
In general, the thing you probably want is a Socket. Sockets allow you to send bytes to an endpoint via TCP or UDP. This is very low-level, though, and are somewhat tricky because you have to design your own application protocol. You may want to use something that offers more abstraction.
Java sockets expose a stream interface so you could just encode integers as strings, for instance, and send them line by line, or you could do something fancier and more efficient like using a DataOutputStream to wrap it.
Handling the following issues can improve security.
If you have router ,set different ports for routing.
Example: If you are running server say on port 6001, map a virtual port say 9001 , which would be exposed to public.
DDos
IP Restriction - Not every user can access your machine !
Enabling router firewall does handle most of the issues.
I want my Java application to send out emails to users. But I cant get a good solution.
Now, I got some on Google but they use a SMTP server which I dont have. I was wondering if setting up one on my Linux machine would be easy?
So, I am using mailx now to send out emails but it sends emails from root which is definately not good. Is there any way to send out emails from a proper email using java? like you can do in php and other languages?
Use commons-email to send email from java in a simple, straightforward way (see the docs).
You need an SMTP server always - even in "php and other languages", but perhaps you don't know you need it, because it is bundled in your LAMP package.
One solution is to use google as an SMTP server. Either via your account, or via google apps. Otherwise setting up an smtp server (postfix for example) linux appears trivial, but isn't - you have to take into consideration many things - see this post by Jeff Atwood.
So ultimately, I'd suggest using the options provided by google.
if you'r looking to host your own mail server, then apache james is a pretty good option.
or other solution could be using a third-party mailservers such as gmail or yahoo; and use the JavaMail API to send emails.
If you don't have an SMTP server, Asprin is a send-only SMTP server, which is a pretty good fit. It suffers from the same problem any do-it-yourself SMTP server will, in that it will look more like a Spam source, so using a proper SMTP server used for e-mail should be done if possible.