How to prevent replay attack in REST API (Spring Boot based API)? [on hold]











up vote
-1
down vote

favorite
1












As part of security scanning, security team identified the API which we developed "attacker can do a replay the API (Replay attack)"



Technical approach that I am proposing:




  1. Generate the one time used unique challenge value and store in database with the status as "CREATED".


  2. Develop an API to get this challenge value.


  3. Client will send the request along with the challenge value.


  4. Backend server will validate the challenge value (Checks the values in database and status as "CREATED") and end of the request processing change the status as "USED".


  5. If the same request will be replayed the status of the challenge value is USED hence we will consider as this request is replayed.



Disadvantages:




  1. Each API will have to get the challenge value.


  2. Increasing of the database table size .



I am not sure this approach is the best one. Looking for some more best approaches to avoid the reply attack for REST API.




  • Backend: Spring Boot.

  • Front end: iOS and Android based app.






spring spring-boot spring-security owasp







share|improve this question















put on hold as too broad by dur, sideshowbarker, Gabor Lengyel, jww, Vega 10 hours ago


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
    – Gabor Lengyel
    12 hours ago















up vote
-1
down vote

favorite
1












As part of security scanning, security team identified the API which we developed "attacker can do a replay the API (Replay attack)"



Technical approach that I am proposing:




  1. Generate the one time used unique challenge value and store in database with the status as "CREATED".


  2. Develop an API to get this challenge value.


  3. Client will send the request along with the challenge value.


  4. Backend server will validate the challenge value (Checks the values in database and status as "CREATED") and end of the request processing change the status as "USED".


  5. If the same request will be replayed the status of the challenge value is USED hence we will consider as this request is replayed.



Disadvantages:




  1. Each API will have to get the challenge value.


  2. Increasing of the database table size .



I am not sure this approach is the best one. Looking for some more best approaches to avoid the reply attack for REST API.




  • Backend: Spring Boot.

  • Front end: iOS and Android based app.






spring spring-boot spring-security owasp







share|improve this question















put on hold as too broad by dur, sideshowbarker, Gabor Lengyel, jww, Vega 10 hours ago


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
    – Gabor Lengyel
    12 hours ago













up vote
-1
down vote

favorite
1









up vote
-1
down vote

favorite
1






1





As part of security scanning, security team identified the API which we developed "attacker can do a replay the API (Replay attack)"



Technical approach that I am proposing:




  1. Generate the one time used unique challenge value and store in database with the status as "CREATED".


  2. Develop an API to get this challenge value.


  3. Client will send the request along with the challenge value.


  4. Backend server will validate the challenge value (Checks the values in database and status as "CREATED") and end of the request processing change the status as "USED".


  5. If the same request will be replayed the status of the challenge value is USED hence we will consider as this request is replayed.



Disadvantages:




  1. Each API will have to get the challenge value.


  2. Increasing of the database table size .



I am not sure this approach is the best one. Looking for some more best approaches to avoid the reply attack for REST API.




  • Backend: Spring Boot.

  • Front end: iOS and Android based app.






spring spring-boot spring-security owasp







share|improve this question















As part of security scanning, security team identified the API which we developed "attacker can do a replay the API (Replay attack)"



Technical approach that I am proposing:




  1. Generate the one time used unique challenge value and store in database with the status as "CREATED".


  2. Develop an API to get this challenge value.


  3. Client will send the request along with the challenge value.


  4. Backend server will validate the challenge value (Checks the values in database and status as "CREATED") and end of the request processing change the status as "USED".


  5. If the same request will be replayed the status of the challenge value is USED hence we will consider as this request is replayed.



Disadvantages:




  1. Each API will have to get the challenge value.


  2. Increasing of the database table size .



I am not sure this approach is the best one. Looking for some more best approaches to avoid the reply attack for REST API.




  • Backend: Spring Boot.

  • Front end: iOS and Android based app.






spring spring-boot spring-security owasp




spring spring-boot spring-security owasp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 19 hours ago









jonrsharpe

75.9k1098203




75.9k1098203










asked 20 hours ago









Maddy

99111




99111




put on hold as too broad by dur, sideshowbarker, Gabor Lengyel, jww, Vega 10 hours ago


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






put on hold as too broad by dur, sideshowbarker, Gabor Lengyel, jww, Vega 10 hours ago


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.














  • It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
    – Gabor Lengyel
    12 hours ago


















  • It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
    – Gabor Lengyel
    12 hours ago
















It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
– Gabor Lengyel
12 hours ago




It's not clear from the question what the vulnerability was (what exactly they could replay and what they could achieve). Therefore it's not possible to advise on mitigation. In general, replay attacks are associated with state stored on the client. First you need to get a better understanding of what the actual problem is, because I suspect the solution you proposed is a solution to something else. :)
– Gabor Lengyel
12 hours ago

















active

oldest

votes






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes

-

Popular posts from this blog

Costa Masnaga

Image
.mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m...
Read more

Fotorealismo

Image
Guerrino Boatto, Venice's St. Barnaba Church and canal Il fotorealismo è un genere di pittura basato sull'uso di una o più fotografie dalle quali l'artista prende le informazioni necessarie da utilizzare poi nel processo della creazione dell'opera, in genere ad olio o ad acrilico, al fine di avere un aspetto finale il più simile possibile alla fotografia. Indice 1 Storia 2 Lista dei fotorealisti 3 Note 4 Voci correlate 5 Altri progetti Storia | Il fotorealismo è un movimento che nasce negli Stati Uniti d'America alla fine degli anni sessanta [1] sulla scia della Pop Art [2] [3] [4] , e insieme condividono il carattere reazionario verso la travolgente ascesa dei media, che alla metà del ventesimo secolo si trasforma in un fenomeno di massa talmente imponente da minacciare il valore dell'immagine nell'arte. [5] [6] Ne consegue così che, colto il gesto d'inizio che fu della Pop Art, i fotorealisti aprono ad un ...
Read more

Sidney Franklin

Image
Questa voce sull'argomento registi statunitensi è solo un abbozzo . Contribuisci a migliorarla secondo le convenzioni di Wikipedia. Sidney Franklin, foto di Carl Van Vechten Oscar alla memoria Irving G. Thalberg 1943 Sidney Franklin , all'anagrafe Sidney Arnold Franklin , (San Francisco, 21 marzo 1893 – Santa Monica, 18 maggio 1972), è stato un regista, produttore cinematografico e attore statunitense. Il 20 giugno 1963, si sposò con l'attrice australiana Enid Bennett. Il matrimonio durò fino alla morte dell'attrice, il 14 maggio 1969 [1] Indice 1 Filmografia 1.1 Regista 1.2 Aiuto regia (parziale) 1.3 Produttore 1.4 Attore (parziale) 2 Note 3 Altri progetti 4 Collegamenti esterni Filmografia | Regista | The Baby , co-regia Chester M. Franklin (1915) The Rivals , co-regia Chester M. Franklin (1915) Little Dick's First Case , co-regia Chester M. Franklin (1915) Her Filmland Hero , co-...
Read more