A workaround for all current Parse security features (CLP/PLP/ACL) #1013
Comments
|
I believe if there is a security concern that could impact all users, this should be publicly discussed and solved no? |
|
Is it possible to impersonate another PFUser via reverse engineering, random string generation, and injection? Or does PFUser verification for CLP/PLP/ACLs go beyond objIds and takes into account PFSessions/InstallationIds? |
|
with every requests, the authentication is done by the session token. The session token is validated across the records in the database. If a token is found matching, we load the according user. otherwise, the request is marked as not authenticated. See the logic here: https://github.com/ParsePlatform/parse-server/blob/master/src/Auth.js#L46 |
|
Thanks for the response and link. I was just being paranoid :) I thought logically that it wouldn't be so easy and that my gut/uninformed feeling was just wrong. |
|
Hey guys I wrote an article on Parse Security - wanted to share it with everybody. Parse can be run securely. |
|
I’m not sure if you can, but if you want we can also publish on blog.parseplatform.org. It’s a PR away. |
|
That would be awesome!!! |
|
The blog repo is open and you just need to open a PR with your article, markdown formatted. If you need any help, feel free to reach out. Obviously, there should be a mention on the first line that it was originally published on back4app’s blog :) |
|
@flovilmart do you have an email I can reach you at? wanted to discuss a few things with you. |
|
Hit me up! Florent at flovilmart dot com |
|
I sent you an email. |
|
@mpc20001 I haven't received anything |
|
@flovilmart i tried emaling you - try emailing me - viperxj7 at g mail dot com |
|
@mpc20001 Under Step 2.1, you say to disable Update and Create, but you disable Update and Delete, which should be right. |
|
@JacobJT - Thanks, you are correct. I will fix it. |
|
Mpc20001 your article is saying basically abandon the REST paradigm altogether for the interface to your parse application ... everything becomes POST requests invoking functions rather than intuitively matching verbs to resources. |
|
You can use whatever verbs you want. But yes everything becomes a post request since that's how cloud calls work and is handled server side rather than relying on the client to provide you security. I'm saying writing your own api is a lot more secure than allowing free access to your database or relying on acls. |
|
Which defeats the point of using ACL’s and CLP. Not sure this is quite the good advice. Sent with GitHawk |
|
There's lots of situations where you will find ACL's don't work, or you paint yourself into a corner. I'm not saying you have to do it this way. I'm just saying it's worked for me and avoided any data breaches which is a common problem with systems built on parse. |
|
IMHO, the tutorial is a quite bad example of using this project, as you can achieve the same without cloud functions. But who am I to judge? Sent with GitHawk |
|
Sorry didn't understand what that means. If everything becomes a POST
request how can you use other http verbs (GET, PUT etc)?
…On Mon, Feb 11, 2019, 4:27 PM Joren Winge ***@***.*** wrote:
You can use whatever verbs you want. But yes everything becomes a post
request since that's how cloud calls work and is handled server side rather
than relying on the client to provide you security. I'm saying writing your
own api is a lot more secure than allowing free access to your database or
relying on acls.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1013 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Ag0bXwMulsaKopoStCN8F4LSKzauejRcks5vMgpwgaJpZM4Hvmqp>
.
|
|
@nemodym the article suggests all implementation should be done through cloud functions. while this works, one could argue you'd be able to build the same with an express server or using mongoose. Using the masterKey is not how this project was designed. |
This post is about how secure the security features are in Parse Server/SDK. Awesome community. Love you guys!
I was hoping I could email someone about a security concern in using Parse Server and the SDK. Small gaps in security seems really scary now that I've gotten most of my service built. I'm not expecting Parse to be 100% secure, but just wanted to know if this was a real concern.
Thanks,
J
Sucks github removed their private messaging!
The text was updated successfully, but these errors were encountered: