How do websites block unauthorized requests?

  • Thread starter Thread starter Trollfaz
  • Start date Start date
  • Tags Tags
    Block Websites
Click For Summary

Discussion Overview

The discussion revolves around how websites manage and block unauthorized requests, particularly focusing on HTTP methods like DELETE, PUT, and POST. Participants explore security measures, user permissions, and server configurations that prevent unauthorized alterations to website content.

Discussion Character

  • Technical explanation
  • Debate/contested

Main Points Raised

  • Some participants suggest that websites typically have user-based permissions to control what actions users can perform, implying that unauthorized requests should not succeed unless there is a bug.
  • Others explain that administrative access is secured through unique usernames and passwords, and that security plugins can help protect against common vulnerabilities.
  • It is noted that editing content usually requires a session token, which verifies that a user is logged in, and without it, data submissions are ineffective.
  • Some participants mention the role of the .htaccess file in controlling request methods and blocking unauthorized access.
  • There is a claim that many websites do not respond to DELETE requests, which is a common defense mechanism against unauthorized modifications.
  • Participants discuss the differences between GET and POST requests, highlighting that GET requests are idempotent and cannot change server-side documents, while POST requests can create content and are not idempotent.

Areas of Agreement / Disagreement

Participants generally agree on the importance of user permissions and security measures, but there are varying opinions on the effectiveness of specific methods and configurations. The discussion remains unresolved regarding the best practices for blocking unauthorized requests.

Contextual Notes

Some limitations include the dependence on specific server configurations and the potential for bugs in code that could allow unauthorized actions. The discussion does not resolve the effectiveness of various security measures mentioned.

Trollfaz
Messages
144
Reaction score
16
If I say run the httr library on R and send DELETE or PUT or POST requests to a website, can it alter the contents and display of the webpage or do we devs have methods to block requests from unidentified sources. E.g if I send a DELETE request to Physics Forums website does it mean I can take down the logo?
 
Technology news on Phys.org
Websites would normally have user-based permissions defining what a user can see or do. Giving any user permissions like that would not happen unless there was a bug in the code.
 
Reply
  • Like
Likes   Reactions: russ_watters
The admin person(s) have a username (NEVER admin) and a password to get access to the site's inner workings, be it a forum or website or the content management system if a site uses one. In the common case of hacking into WordPress there are security plugins that can help secure the site. One of the very first things you do is rename the standard admin login page to something completely different. The average attack starts with trying the standard login page, so that simple change is a great start. Beginners get hacked because they don't know how to hide the admin login page.

Then editing things requires that the changes come from the admin panel and not from an external site. This is usually built in with a session token, so if by luck you find a form used by the site owner to edit things, if you don't have the session ID to prove you have logged in, the data in such a form goes nowhere. This is even used in home built online sites that the admin created themselves. Usually the lack of the token means any such page with a data enter form is simply not displayed for you to try to use.

As there are multiple ways to attack a site, multiple blocks exist within a WP security package to disable the ones most likely to take advantage of a weak feature of WP. The same is true for lots of other content management systems. Shopping carts can also have a security package installed.

And as these types of sites use a database, you have to know its name to send data to it.
 
There also something called a ".htaccess" file which can do the job to some extent.
 
Trollfaz said:
if I send a DELETE request to Physics Forums website does it mean I can take down the logo?
No, because PF's server doesn't even respond to DELETE requests at all. In fact that's how most websites "defend" against such things: they don't even respond to any HTTP methods other than GET (and HEAD, which just returns the same headers as GET but no payload) and POST. And what the server does with requests with those methods depends on whether you are logged in or not and, if you are logged in, what permissions your user account has.
 
PeterDonis said:
No, because PF's server doesn't even respond to DELETE requests at all. In fact that's how most websites "defend" against such things: they don't even respond to any HTTP methods other than GET (and HEAD, which just returns the same headers as GET but no payload) and POST. And what the server does with requests with those methods depends on whether you are logged in or not and, if you are logged in, what permissions your user account has.
So POST in the case of posting threads as a registered member?
 
Trollfaz said:
So POST in the case of posting threads as a registered member?
POST would be anything that is an attempt to add content, so starting a new thread, posting in an existing thread, or posting a private message.
 
  • #10
Or filling out a registration form as a non-registered user.
 
  • #11
Borg said:
Or filling out a registration form as a non-registered user.
Yes, or signing in as a registered user.
 
  • #12
GET passes data in the URL, and is for things which could happen multiple times (generally fetching content). POST passes data in the request body, and is for things which only need to happen once (generally creating content). POST has the further advantage that the body of the request can be encrypted, whereas you can't really encrypt a URL.
 
  • #13
pasmith said:
GET passes data in the URL
More precisely, it passes things like query parameters in the URL. A GET request cannot change any documents on the server side, so nothing in the URL is "data" the way, say, a form body in a POST request is data.

pasmith said:
is for things which could happen multiple times (generally fetching content). POST passes data in the request body, and is for things which only need to happen once
More precisely, multiple GET requests with the same URL and headers are idempotent (they have the same effect as if just one of them was made). But multiple POST requests with identical content (URL, headers, and payload) are not idempotent--they could create multiple copies of the same document, for example, instead of just one.
 

Similar threads

My Website For Creating Interactive Visuals Linked To Equations
  • · Replies 4 ·
Replies
4
Views
3K
Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
Python Page not found 404 django-python
  • · Replies 4 ·
Replies
4
Views
6K
Creating a Website: Advice for Beginners (fog37)
  • · Replies 14 ·
Replies
14
Views
3K
Python Error of Execution While Trying to Scrape a Website
  • · Replies 3 ·
Replies
3
Views
2K
How do Jupyter notebook components work together?
  • · Replies 17 ·
Replies
17
Views
3K
How to Export Data From an App & Display It on a Website
  • · Replies 6 ·
Replies
6
Views
2K
PHP Using PHP and cURL to submit POST requests to a website
  • · Replies 7 ·
Replies
7
Views
6K
Learning about Python application deployment - possible recommendations
  • · Replies 7 ·
Replies
7
Views
3K
Chemical Forums down, or how I learned what slowloris is
  • · Replies 8 ·
Replies
8
Views
1K