Geek Answers Handbook

How can I prevent malicious use of my sockets?

I create a web page based on the fact that players can invite other players to parties and others can invite long lines.

I have your main transfer / receive / update chat / users in your party. The only thing is to stop someone from sitting there, opening the developer console and setting off

socket.emit('updateUsers', 'Weiner'); socket.emit('updateUsers', 'Idiot'); socket.emit('updateUsers', 'Bad word'); socket.emit('updateUsers', 'Other stupid malicious really long spam the chat name');

How can I prevent this so that they cannot do such things?

(Full JS stack, Node.js) Thanks!

+3
javascript websocket
source share
4 answers

I also ran into this problem. This was my decision as spam emits (using a malicious socket) ..

 var spamData = new Object(); var spamCheckFunctions = ["updateUsers","moreEmits"]; // anti-spam will check these socket emits var antiSpam = 3000; // anti spam check per milliseconds var antiSpamRemove = 3; // -spam points per antiSpam check var maxSpam = 9; // Max spam points before disconnect is thrown to the socket io.sockets.on('connection', function (socket) { // Spam Check, this binds to all emits var emit = socket.emit; socket.emit = function() { data = Array.prototype.slice.call(arguments); if(spamCheckFunctions.contains(data[0])){ addSpam(socket); }; emit.apply(socket, arguments); }; var $emit = socket.$emit; socket.$emit = function() { data = Array.prototype.slice.call(arguments); if(spamCheckFunctions.contains(data[0])){ addSpam(socket); } $emit.apply(socket, arguments); }; }); function maxSpamCheck(socket){ if(spamData[socket.username].spamScore>=maxSpam && !socket.spamViolated){ socket.spamViolated = true; socket.disconnect(); } } function checkSpam(){ for(user in spamData){ if(spamData[user].spamScore>=1) spamData[user].spamScore-=antiSpamRemove; } return; } setInterval(checkSpam,antiSpam); function addSpam(socket){ if(socket.spamViolated) return; spamData[socket.username].spamScore+=1; maxSpamCheck(socket); } // Then add this where your user is authenticated function authenticate(socket){ socket.username = username // here you define username socket.spamViolated = false; spamData[socket.username] = { spamScore: 0 } } Array.prototype.contains = function(k) { for(var p in this) if(this[p] === k) return true; return false; };

basically contacts all emissions and checks if the emit name is contained in spamCheckFunctions if it adds a spam point if the user exceeds the spam count ( maxSpam ); he will be disconnected. And for every milliseconds defined in antiSpam , the user spam score defined in antiSpam will be underestimated

I'm sure there are cleaner solutions, but this option is very good for me :)

Just make sure you verify / authenticate users.

so I authenticate them (not using nodejs as a web server, but had django):

 io.configure(function(){ io.set('authorization', function(data, accept){ if(data.headers.cookie){ data.cookie = cookie_reader.parse(data.headers.cookie); return accept(null, true); } return accept('error', false); }); });

now you can access socket.handshake.cookie['sessionid'] (in my case it worked with django) then map socket.handshake.cookie['sessionid'] to the entry where your sessions are stored on the web server

+2
source share

This is a difficult problem at all. Two things you could do:

1) Use client-side self-starting functions, i.e.

 (function(w) { // define your sockets here var socket = ...; })(window);

Obviously, this is on the client side, so it is not very safe. But it’s not so bad to have such a wall.

2) On the server side, monitor the sending frequency. For example, if someone sends 5 times per second, you can assume that it is spam, and you can block this socket. This is especially effective when combined with authentication and complex registration (so people will have a problem creating a new account).

+1
source share

Use the md5 / sha switch, which behaves like a cookie.

Create a key for a specific user and send it to the client and always check that incoming requests have the same key

It will not be fully protected, since a hacker can always find your key either in the source code or in localStorage, but try to hide it by obfuscating your code.

0
source share

A way to prevent spam is to either implement user authentication or / or a packet rate limiter. Add a middleware function that keeps track of socketId and the number of packets sent through this socket. When it exceeds your limit, disconnect the connector.

You can even add an extra feature that monitors the IP address of this socket, if the IP address is disconnected too often due to spam, you can disable this ip. Add a connection event check for which IP addresses are allowed.

0
source share

More articles:


All Articles