Let’s share that the technical team of my previous employer did some obfuscation with the processing of the request interface parameters.

Security is stable operation of the measure of a project, one of the essential condition is also a technical team work quality evaluation index, while the former perspective, there is no fundamental security, after all, the front of everything is opening to the outside world, but the front-end developer can by increasing the threshold, thus to improve the overall project safety.

What interface needs to do parameter processing

In the interface request, especially the interface with sensitive fields and data such as login and registration, if the data is sent to the back end in plain text, it will bring great security risks. Therefore, if you want to realize non-plaintext transmission of interface parameters, you have to do some processing on the parameters to increase the threshold of malicious attacks.

My suggestion is that all POST requests need to be processed. In standard interface specifications, POST requests process data and return results, while GET is more about getting data than manipulating it.

How to deal with parameters that make it harder to crack

At the beginning, we used to encrypt the data. We first obtained the encryption key from the back end, then encrypted the data through the key when requesting, and decrypted the data according to the key after the interface obtained the data.

This approach is obviously stupid, and it does not increase the threshold of attack, but ensures the transmission of non-plaintext data. The attacker can still obtain the key through the interface, and then obtain/decrypt sensitive data according to the key, so as to achieve the purpose of attack.

Encryption is not feasible, then the front and back end together to develop a rule, the request data do obfuscation processing, the back end according to the rules to parse the original data, so as long as ensure that this rule does not leak out, do not update the obfuscation rules regularly, that is, can increase the threshold of parameter crack and interface violence request to a certain extent.

Specific rules

1, get the business parameters (JSON format)

2, encrypt the service parameters (rule: all keys are arranged in the order of A-Z, and then join with &, then md5 gets the string sign, and turn all the lowercase letters inside into uppercase)

3. Intercept the generated sign (remove the first three and the last five) to get the final sign

4. Add the final sign to the business request parameter. Key is fixed as sign and value is the value generated in step 3

5, randomly generate a 16-bit string (number + university letter) as the original secret key

6. Take the value generated by 4 as the plaintext, and the value generated by 5 as the final secret key, and then conduct AES encryption to get the final data

7, the data generated by 6 as value,key fixed as data, and then the original k (truncated and capitalized before the value) as value,key k

Example:

The front-end implementation

Install CryptoJS


npm install crypto-js

Copy the code

Introduce CryptoJS and MD5JS

The MD5JS library is an additional download to introduce.


import cryptoJs from 'crypto-js';

import {

  hex_md5

} from "./md5";

Copy the code

Confuse algorithm


/** * apiEncode Request parameter obfuscation *@param {Object} params 

 */

export const apiEncode = (params) = > {

  // Dictionary sort

  var arr = Object.keys(params).sort();

  var result = {};

  arr.map(m= > {

    result[m] = params[m];

  });

  // Process as query

  var str = [];

  for (var p in result)

    if (result.hasOwnProperty(p)) {

      str.push(encodeURIComponent(p) + "=" + encodeURIComponent(result[p]));

    }

  result = str.join("&");

  // MD5 encrypts and converts to uppercase, intercepts and concatenates to the original parameter

  let sign = hex_md5(result).toUpperCase();

  params.sign = sign.substring(3, sign.length - 5);

  // Generate KEY, encrypt processing

  let key = generateMixed(16);

  let enc = cryptoJs.AES.encrypt(JSON.stringify(params), cryptoJs.enc.Utf8.parse(key), {

    mode: cryptoJs.mode.ECB,

    padding: cryptoJs.pad.Pkcs7

  });

  return JSON.stringify({

    data: enc.toString(),

    k: key

  });

}

/** * Randomly generates a string of the specified length *@param {Int} The length of the n * /

export const generateMixed = (n) = > {

  let chars = ['0'.'1'.'2'.'3'.'4'.'5'.'6'.'7'.'8'.'9'.'A'.'B'.'C'.'D'.'E'.'F'.'G'.'H'.'I'.'J'.'K'.'L'.'M'.'N'.'O'.'P'.'Q'.'R'.'S'.'T'.'U'.'V'.'W'.'X'.'Y'.'Z'];

  let res = "";

  for (let i = 0; i < n; i++) {

    let id = Math.ceil(Math.random() * 35);

    res += chars[id];

  }

  return res;

}

Copy the code