I have this project where I need to know if a visitor legitimately arrived from a QR code. Document.referrer value from a QR code shows blank. I have looked at some answers suggesting to put parameter in the query string (e.g. ?source=qr), but anyone could easily add the parameter into the URL and my code would believe it is from a QR code (e.g. www.project.com/check.page?source=qr) . I have thought of adding codes to make sure it is from a mobile phone / tablet as secondary way to authenticate but many browsers have add-ons to fool websites.
Any suggestions would be greatly appreciated.
Thanks in advance.
I think the best solution for you is creating your regional QR Codes pointing to:
Region 1) http://example.com/?qr=f61060194c9c6763bb63385782aa216f
Region 2) http://example.com/?qr=731417b947aa548528344fab8e0f29b6
Region 3) http://example.com/?qr=df189e7f7c8b89edd05ccc6aec36c36d
if the value of the parameter qr is anything other than f61060194c9c6763bb63385782aa216f, 731417b947aa548528344fab8e0f29b6 or df189e7f7c8b89edd05ccc6aec36c36d, then you can ignore it and assume the user didn't come from any QR Code.
Of course, any user can remove the source parameter. But at least he can't add a valid one, unless he really had access to the code.
...but anyone could easily add the parameter into the URL and my code would believe it is from a QR code
Well, anyone could also scan the QR code, view the link, and remove the source=qr from it.
Data collection is never 100% reliable. Users can change their browser's user agent, inject cookies with some strange values, open your page through a proxy server, and so on.
You could create your own device or App for scanning the QR-code. If you read the post I've linked, you will see that this is a waste of time and resources.
So, what is left is to make a solution which will work for most of the users. Appending a source=qr parameter to your URL seems to be the simplest solution. You could also link to an entirely different domain and redirect the request, so it would be more fraud-safe. But it will never be 100% accurate.
Related
I've been messing around with creating my own implementation of an AspNet.Security.OAuthProviders by copying the GitHub example. Have a few questions..
First, I successfully authenticate but when I get back my User.Identity.Name is empty. I don't see that information coming back from my provider. Noob question I imagine, but do I have to explicitly request the information I want back? If so, how do I know what to ask for.. I'm kind of working blindly.
Second, in the GitHub example of the Handler, CreateTicketAsync immediately makes a call to the UserInformationEndpoint. In my use case, after getting authorized I want to go to a page that has some links to some api requests that will use the acquired authorization, rather than do it right away. I'm not sure if there is an example for that or I'm making incorrect assumptions and going about this the wrong way.
This is entirely supposed to be for demo purposes as a "how to" for other developers so I want to make sure I do things the correct way.
We have a fairly complicated ASP.NET MVC project with cross domain login widgets and a lot of semi-legacy code.
There is a system where we login people through an iframe. The url for the iframe we send through a string attached to the MVC Model.
Problem is; on really rare occassions we see malformed query string parameters coming through. It's always the same malformation though. I want to fix the issue, but I can't figure out why this happens.
I'm expecting some Adblocker-type or privacy settings, or maybe some Regional settings, but I have no clue where to start.
I am hoping someone will recognize the pattern and say; that's a localization pattern when your Windows is set on Turkey or whatever, you should check your encoding etc etc.
Anyway here's the example:
Expected:
auth-dialog-window?openerOrigin=https%3a%2f%2f.poules.com&color=C3042E&openerType=iframe
Coming through:
auth-dialog-window?color=P304212R&openerType=vsenzr&openerOrigin=uggcf%3N%2S%2Scbhyrf.pbz
Apparently the order of the query string also changes. Here more closely per parameter:
iframe
vsenzr
https:// poules.com (spaces are for aligning)
uggcf%3N%2S%2Scbhyrf.pbz
C3042E
P304212R
Does anyone recognize the pattern and can give me a hint where I should be looking?
I know for sure the last time it happened with IE 9.0, but can't reproduce it.
ROT-13.
A system somewhere is "trying to crypt" in a very simple way...
Check "pairs" of letters in both values:
abcdefghijklmnopqrstuvwxyzabcdefghijklm
nopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
i want to handle any download request coming from Webview. how it is possible ? the documentation https://developer.blackberry.com/native/reference/cascades/bb__cascades__webresourcerequestfilter.html and https://developer.blackberry.com/native/reference/cascades/bb__cascades__webdownloadrequest.html are describing the parameters but couldn't figure out how to do it.
Your question is not clear on what you don't understand. Remember this is not a training forum, the idea is that you should try things, review the documentation and then ask specific questions to get the best out of a forum.
Moreover it is not clear whether you are trying to handle the download request at the Server, or capture the request before the download attempt leaves the BB.
I'm going to assume you want to display a web page on the BlackBerry but make sure that any resource requests that the page generates, are filtered by your program, so that you can supply the data (assuming you have it).
I implemented something like this a while ago and remember that it was not simple to figure out what was going on, but I played with it a bit and it all made sense.
I don't remember using WebDownloadRequest and can't really see how it helps in this case.
The key is WebResourceRequestFilter. You create your own WebResourceRequestFilter making sure you implement the required methods. Then you use WebPage::setNetworkResourceRequestFilter(WebResourceRequestFilter*) to make sure the webpage will ask your WebResourceRequestFilter for its resources. The first method the web page invokes is filterResourceRequest(), and the return from this invocation determines which other methods in your WebResourceRequestFilter, the Webage will invoke.
I suggest you implement a WebResourceRequestFilter, put some debugging in filterResourceRequest(), but always return FilterAction Accept, which means the web page will use its normal processing to obtain the resources. Then try various other FilterAction return values and see what happens...
I'm developing a software, which is going to provide in-deep information about url's.
While the get-params are simple, I'm having trouble with the hash.
At first it was used to mark places in the document to navigate to, but we're past that now. I've seen JS engines using it to store params similar to the get strings.
So, here's my question: is everything that comes after a hash free game, or are there any conventions about what it should look like?
Try these sites it could help. Fragment Identifier, Wikipedia or Pound Sign, Google
It's got a list of examples you could use.
It all depends on what you need. Hashes are used in modern web applications that make use of asynchronous calls to the server using ajax. This e.g. allows the user to copy the link and receive the same content after pasting (actions taken are put into hash which changes the url which otherwise would remain static).
You want to read http://www.jenitennison.com/blog/node/154
We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web.
I wonder if there is any mechanism like HTTPModule to help us HtmlEncode() all the items in a Http request to avoid XSS to some extent.
Appreciate for any suggestion.
Rgds,
Ricky
The problem is not retrieving Request data without HTML-encoding. In fact that's perfectly correct. You should not encode any text until the final output stage when you spit it into an HTML page.
Trying to blanket-encode incoming parameters, whether that's HTML-encoding or SQL-encoding, is totally the wrong thing. It may hide XSS holes in your app but it does not fix them. You will still have a hole if you output content that hasn't come from parameters, or has been processed since then. Meanwhile the automatic encoding will fill your database with multiply-escaped & crud.
You need to fix the output stage, that's where the problem lies.
Like bobince said, this is an output problem, not an input problem. If you can isolate where this data is being output on the page, you could create a Filter and add it to the Response object. This filter would isolate the areas that are common output and then HtmlEncode them.