Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2009.03.01 10:00:00 -
[1]
Edited by: Johnathan Roark on 01/03/2009 10:01:42 This is a guide to help the eve community developers test there ingame browser code without using the ingame browser. It loads very slow and slows down development. It is also intended to help improve security and awareness of the flaws of trusting this information. This is intended for research purposes and not to help you break into someoneÆs website. Doing so would be a breach of the EULA (Impersonating another player) and a could be considered a crime in some areas (unauthorized computer access).
What you will Need:
- A webhost that supports PHP
- Firefox Web-browser
First, lets take a peak at what http headers the EVE Minibrowser actually sends to the server if trust is enabled. To do this, we need something that will display them.
On server that support PHP, use this code:
<?php foreach($_SERVER as $h=>$v) if(ereg('HTTP_(.+)',$h,$hp)) echo "<li>$h = $v</li>\n"; ?>
Save this file as dumpheaders.php. Open up your eve browser and add location of this file on your server to your trusted sites. Browse to the File. You should see something like the following (copy from your ingame browser into a text document for later reference):
ò HTTP_ACCEPT_ENCODING = identity ò HTTP_CONNECTION = close ò HTTP_EVE_ALLIANCEID = 741557221 ò HTTP_EVE_ALLIANCENAME = RAZOR Alliance ò HTTP_EVE_CHARID = 274699092 ò HTTP_EVE_CHARNAME = Johnathan Roark ò HTTP_EVE_CONSTELLATIONNAME = ò HTTP_EVE_CORPID = 170567768 ò HTTP_EVE_CORPNAME = Quantum Industries ò HTTP_EVE_CORPROLE = 0 ò HTTP_EVE_NEARESTLOCATION = None ò HTTP_EVE_REGIONNAME = Delve ò HTTP_EVE_SERVERIP = ò HTTP_EVE_SOLARSYSTEMNAME = ò HTTP_EVE_STATIONNAME = ò HTTP_EVE_TRUSTED = yes ò HTTP_HOST = ò HTTP_USER_AGENT = EVE-minibrowser/3.0
I removed the info I do not wish to share with you. You may be thinking ôLots of interesting information contained in those headers. It even tells me what corporation I am in. I can use this in my next great application to make sure only my friends can get into my site.ö If you are one of these people, make sure you continue reading because I will proceed to show you why you could not be more wrong.
Go to https://addons.mozilla.org/en-US/firefox/addon/967 and download the addon for firefox called modify headers. After its installed, in firefox, Go to ôToolsö, ôModify Headersö. A new window should popup. On the top, you will see three boxes. The first one is white with a drop down, Select ôAddö from the drop down. The other two boxes should now be white as well, In the first one, type ôEVE_CHARNAMEö. In the next box, type in your character name. Click the Add button. Repeat for all of the rest of the HTTP_EVE headers filling in the appropriate information. You will also need to create one with the name ôUSER_AGENTö and value ôEVE-minibrowser/3.0ö. Again, I must stress this information is provided in the hope that devolpers stop trusting HTTP headers.
POS-Tracker 2.1.0 Hosting |
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2009.03.01 10:01:00 -
[2]
Ok, now that I spoiled that method of authenticating, what are my options?
Easiest, ask for a password to comfirm. Also, access should not be granted without communicating with the user that they are the ones who registered and accessed your site.
Ask for a userid and eve api key. If they have this, they have either received it from the person who you are authenticating or they are the person you are authenticating. Action is required by your intended user in both cases.
Encourage CCP to add opened or some other method of guaranteeing website users are who they say they are.
Does this make the EVE browser HTTP headers worthless? Nope, there are many great applications that take advantage of them. Just keep in mind that they can not be 100% trusted and DO NOT use them for granting access to a user.
Why did I research this? I got tired of testing them ingame because the eve browser is slower and it requires me to be in game. Hard to hide from ops when your ingame
Why am I posting this? I was asked to by other concerned people who saw how bad trusting them is and to encourage developers not to use them.
POS-Tracker 2.1.0 Hosting |
MrRx7
Amarr Cutting Edge Incorporated RAZOR Alliance
|
Posted - 2009.03.01 10:18:00 -
[3]
Just another thing to add the long list of web security people need to check when developing :-)
especially online apps.!
|
Dragonaire
Caldari Corax.
|
Posted - 2009.03.01 16:26:00 -
[4]
Thanks Johnathan for posting this. I'm sure there's now a few more people that now understand just how little 'security' the IGB headers really are now. Useful to fill in a few forms from time to time but only if you verify them by some other means. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API.
|
Toobit Hor
|
Posted - 2009.03.03 02:53:00 -
[5]
A good introduction to security issues with Post Headers
Personally, I'd advocate allowing users to set their own login password, and not requiring the use of their API key for two reasons:
- Users are often scared of the security issues involved with API keys. - User wont want to remember a 64 character alphanum password, they want simple secrutiy, like a regular password.
If you need the API key for data retrieval, then make the options available after the user has authenticated using their simple password.
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2009.03.04 00:52:00 -
[6]
This has been mentioned already: EVE IGB trust is not YOU trust your visitors' info, it is your visitors trust you enough to send their info to your site. -- Thanks CCP for cu |
Immersive
Immersive Technology Solutions
|
Posted - 2009.03.04 03:41:00 -
[7]
Originally by: Tonto Auri This has been mentioned already: EVE IGB trust is not YOU trust your visitors' info, it is your visitors trust you enough to send their info to your site.
Yes, I believe that was the point of this thread. --- New to the API? GrabRaw XML
It's coming...
|
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2009.03.04 08:53:00 -
[8]
Originally by: Tonto Auri This has been mentioned already: EVE IGB trust is not YOU trust your visitors' info, it is your visitors trust you enough to send their info to your site.
Really was meant to show how to test your igb code without using the igb. Im rather sure i can get a page embedded with flash and tons of graphics to load faster in firefox then it take the igb to load a page with just text on it. The fact that http headers aren't to be trusted was really just a side topic that this topic should have removed any questions over. Im sure there are lots of new developers of igb sites that do not realize exactly how easy it is.
POS-Tracker 2.1.0 Hosting |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2009.03.04 18:40:00 -
[9]
Not to offend or correct you, just to sum this one thing in one phrase. -- Thanks CCP for cu |
Pwett
QUANT Corp. QUANT Hegemony
|
Posted - 2009.03.05 16:09:00 -
[10]
Originally by: Johnathan Roark
Really was meant to show how to test your igb code without using the igb. Im rather sure i can get a page embedded with flash and tons of graphics to load faster in firefox then it take the igb to load a page with just text on it.
This is key. I can load a 10,000 item list with pictures in FF faster than the IGB can process 25 lines of text. _______________ <Q> QUANT Hegemony A man creates; A parasite asks 'Where is my share?' Item Database
|
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |