Geek Answers Handbook

How can I safely update a remote database from an internal chrome extension?

It is very difficult for me to understand this. After spending about 4 hours scanning on the Internet, there is no SO message to save me.

Imagine the scenario:

  • I already wrote a chrome extension that captures some actions on a web page (basically a button click). This action calls a function that captures some user information and button information (all present on the page itself) and displays it

  • Now I want the plugin to be able to update it in the database setup on the remote server.

Since I am fluent in PHP (and therefore MySQL is a good choice), I am looking for a solution to make sure that the updates are made ONLY and ONLY from the extension itself.

For this, I believe that the best option would be to run a GET / POST request, for example http: //remoteserver.tld/update-db.php? Id = XXXX & action = YYYYY & foo = bar .... etc. But what happens if a user opens / passes post vars to this external plugin?

Data will continue to be updated and integrity will be lost!

The next best idea was to include keys with the request, but again the extensions were written in JS, almost anyone can sniff out keys.

Point me to the best way to update the database on the remote server and make sure the action is authenticated.

Hooray!

+7
source share
1 answer

The problem here is authentication, basically, you want to prevent anyone from updating any elses data store.

The most obvious solution for this is to send an additional parameter that is difficult to enumerate (hashes are a good example) and that is assigned to only one instance of your extension (so that each user creates their own hash authentication).

In order for this hash to be effective, it is important that it not be guessed. Do not create a hash solely on the basis of static material, such as ip-adressess or user agent strings.

You can include these static lines to make conflicts less likely: [pseudo] sha1 (ip_address + user_agent + random_integer).

So, basically for you this ends with the following: let the extension generate a hash for the current instance, if it is being executed for the first time, make an initial request to your server to "register" this new instance, and all subsequent requests that have this hash, will be authenticated in this instance.

also use SSL encrypted connections to prevent sniffing.

Please do not solve this with security through the obscurity as XORing is everywhere, people will find out.

Oh, and by the way, if the problem is data integrity, you can't fix it. The transmitted data is always provided by the user, since everything that the computer does is under the control of this user (presumably).

+2
source

More articles:


All Articles