How do websites block unauthorized requests?

  • Thread starter Thread starter Trollfaz
  • Start date Start date
  • Tags Tags
    Block Websites
Click For Summary
SUMMARY

This discussion focuses on how websites block unauthorized requests, specifically using the httr library in R to send DELETE, PUT, or POST requests. It concludes that most websites, including Physics Forums, do not respond to DELETE requests, effectively preventing unauthorized alterations. Security measures such as user-based permissions, session tokens, and .htaccess files are essential for protecting web applications. Additionally, understanding the differences between HTTP methods like GET and POST is crucial for web developers to secure their sites against potential attacks.

PREREQUISITES
  • Understanding of HTTP methods (GET, POST, DELETE)
  • Familiarity with web security concepts (session tokens, user permissions)
  • Knowledge of .htaccess file configuration on Apache servers
  • Experience with R programming and the httr library
NEXT STEPS
  • Research how to implement session tokens for user authentication in web applications
  • Learn about configuring .htaccess files to restrict HTTP methods
  • Explore security plugins for WordPress to enhance site protection
  • Study the differences between idempotent and non-idempotent HTTP requests
USEFUL FOR

Web developers, security professionals, and anyone involved in managing or developing websites who seeks to understand how to protect against unauthorized requests and enhance web application security.

Trollfaz
Messages
144
Reaction score
16
If I say run the httr library on R and send DELETE or PUT or POST requests to a website, can it alter the contents and display of the webpage or do we devs have methods to block requests from unidentified sources. E.g if I send a DELETE request to Physics Forums website does it mean I can take down the logo?
 
Technology news on Phys.org
Websites would normally have user-based permissions defining what a user can see or do. Giving any user permissions like that would not happen unless there was a bug in the code.
 
Reply
  • Like
Likes   Reactions: russ_watters
The admin person(s) have a username (NEVER admin) and a password to get access to the site's inner workings, be it a forum or website or the content management system if a site uses one. In the common case of hacking into WordPress there are security plugins that can help secure the site. One of the very first things you do is rename the standard admin login page to something completely different. The average attack starts with trying the standard login page, so that simple change is a great start. Beginners get hacked because they don't know how to hide the admin login page.

Then editing things requires that the changes come from the admin panel and not from an external site. This is usually built in with a session token, so if by luck you find a form used by the site owner to edit things, if you don't have the session ID to prove you have logged in, the data in such a form goes nowhere. This is even used in home built online sites that the admin created themselves. Usually the lack of the token means any such page with a data enter form is simply not displayed for you to try to use.

As there are multiple ways to attack a site, multiple blocks exist within a WP security package to disable the ones most likely to take advantage of a weak feature of WP. The same is true for lots of other content management systems. Shopping carts can also have a security package installed.

And as these types of sites use a database, you have to know its name to send data to it.
 
There also something called a ".htaccess" file which can do the job to some extent.
 
Trollfaz said:
if I send a DELETE request to Physics Forums website does it mean I can take down the logo?
No, because PF's server doesn't even respond to DELETE requests at all. In fact that's how most websites "defend" against such things: they don't even respond to any HTTP methods other than GET (and HEAD, which just returns the same headers as GET but no payload) and POST. And what the server does with requests with those methods depends on whether you are logged in or not and, if you are logged in, what permissions your user account has.
 
PeterDonis said:
No, because PF's server doesn't even respond to DELETE requests at all. In fact that's how most websites "defend" against such things: they don't even respond to any HTTP methods other than GET (and HEAD, which just returns the same headers as GET but no payload) and POST. And what the server does with requests with those methods depends on whether you are logged in or not and, if you are logged in, what permissions your user account has.
So POST in the case of posting threads as a registered member?
 
Trollfaz said:
So POST in the case of posting threads as a registered member?
POST would be anything that is an attempt to add content, so starting a new thread, posting in an existing thread, or posting a private message.
 
  • #10
Or filling out a registration form as a non-registered user.
 
  • #11
Borg said:
Or filling out a registration form as a non-registered user.
Yes, or signing in as a registered user.
 
  • #12
GET passes data in the URL, and is for things which could happen multiple times (generally fetching content). POST passes data in the request body, and is for things which only need to happen once (generally creating content). POST has the further advantage that the body of the request can be encrypted, whereas you can't really encrypt a URL.
 
  • #13
pasmith said:
GET passes data in the URL
More precisely, it passes things like query parameters in the URL. A GET request cannot change any documents on the server side, so nothing in the URL is "data" the way, say, a form body in a POST request is data.

pasmith said:
is for things which could happen multiple times (generally fetching content). POST passes data in the request body, and is for things which only need to happen once
More precisely, multiple GET requests with the same URL and headers are idempotent (they have the same effect as if just one of them was made). But multiple POST requests with identical content (URL, headers, and payload) are not idempotent--they could create multiple copies of the same document, for example, instead of just one.
 

Similar threads

My Website For Creating Interactive Visuals Linked To Equations
  • · Replies 4 ·
Replies
4
Views
3K
Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
Python Page not found 404 django-python
  • · Replies 4 ·
Replies
4
Views
5K
Creating a Website: Advice for Beginners (fog37)
  • · Replies 14 ·
Replies
14
Views
3K
Python Error of Execution While Trying to Scrape a Website
  • · Replies 3 ·
Replies
3
Views
2K
How do Jupyter notebook components work together?
  • · Replies 17 ·
Replies
17
Views
3K
How to Export Data From an App & Display It on a Website
  • · Replies 6 ·
Replies
6
Views
2K
PHP Using PHP and cURL to submit POST requests to a website
  • · Replies 7 ·
Replies
7
Views
6K
Learning about Python application deployment - possible recommendations
  • · Replies 7 ·
Replies
7
Views
3K
Chemical Forums down, or how I learned what slowloris is
  • · Replies 8 ·
Replies
8
Views
1K