How to Prevent Replay Attacks on Your Website

How to Prevent Replay Attacks

Today, web security has been a hot issue for many web developers since many hackers are getting smarter and smarter in attacking intercept and resend network packets that do not belong to them which are terribly dangerous. Therefore, to prevent any bad things happen to your site, we show you simple ways as solution which is far from a complete solution but considered enough to give you a general view of how tokens and simple protocols can enhance security in your websites.

  • The One-Time Token Concept

In order to tie every HTTP response to a token string that will be valid only for the next post request. Simple steps of breakdown are conducted as follows:

1 The client makes a GET request by typing the URL or a page or by clicking on a link

2 The server generates a random token. Subsequently, it stores a copy of the token in the session and embeds a copy of the token in the <form> tag of the response it sends to the client.

3 The client processes the content, and sends a POST request to the server, say when the user clicks on a button, which contains the randomly-generated token.

4 The server receives the request and proceeds with processing it only if the attached token is equal to the one stored in the user’s session.

5 The server invalidates the token and returns to step 2, where it formulates the response with a new random token.

In this manner, it cannot be repeated because the token it contains is no longer valid after the request is sent to the server even if a critical request sent to the server is intercepted by a malicious user. This will work the same if the user unintentionally presses F5 on the keyboard and resends the request after posting information to the server.

  • The Solution

We update the markup to add a hidden field in order to prevent a POST request from being repeated which will store the token.

1

Further step is to create a function that produces a random token and embeds it both in the hidden field and the session collection.

2

Next, we change the Page_Load() function to only display the posted data if the posted token is equal to the one stored in the session.

3

Finally, to generate a new token before the final output is sent to the client, we override the OnPreRender() function. This is what makes it a one-time token, because it’s renewed every time a new request is sent.

4

 

It works just as it did before, when you submit the form by clicking on the button. But you’ll get the following error if you try to simulate the reply attack by refreshing the page because the token that is sent with the form is no longer equal to the one stored on the server:

5

This way, we can distinguish valid button-click submissions from falsely-repeated requests.

  • Modify it even Better

Since they’re using the same session token key, one of the problems with this code is that if you have two tabs in your browser pointing to the same page, posting one will invalidate the token of the other which can be directed by adding a token ID that will make sure each request-response sequence happening in one tab will use its own set of unique tokens and will not interfere with other requests on the same page. To go back to the TokenizedPage class and add a TokenID property is the first order of business. Since the first time, this property generates a random ID in the initial GET request and stores it in the ViewState collection for future reuse.

6

Next, we will adjust the SessionHiddenToken property to use the TokenId property instead of using the Page. Title property.

7

The interesting part is that we don’t need to make any other change and the new mechanism will work with all pages that come from TokenizedPage.

How to Build a Killer Content

How to Build a Killer Content → Keyword Map for SEO-01

Have your content been highly targeted? As web developers develop a website is a thing but optimize a site is another thing. Content is part of webs that is usually optimized. The better optimized your content is the more engaged your site with better SEO result. In fact optimized article will easily turn your marketing campaign into a successful one. Below are some tips that can show you how to build a killer content.

  • SEO Cartography

Creating a map for SEO keywords is terribly helpful in terms of figuring the best possible keywords for your content. There are many tools that can assist you in providing good data for your SEO cartography although you cannot wish for great software to do this right now. You may have done it through the old ways by using Excel or Google Spreadsheets, either one work fine. However, in order to get better data, you can use other tools, such as screaming frog or stat to help you collect best data.

SEO cartography

  • Columns

All SEO engineer wish that all of their keywords mapped to all their URLs. However, reality rarely comes as exact as we wish for it, for example, many SEO engineers discover that some keywords don’t have any URL or you probably have some URLs for which you have no keyword. Essentially you haven’t intentionally targeted a keyword with that page yet, and this might actually help you prioritize and try and do some of that.

So, asking questions like, how much search volume does this get? You’re going to try and estimate or use a tool to give you a grade around the title, the content, maybe the URL itself, load speed, and engagement. You can find out the engagement by browsing the rate or time on site or pages per visit or some combination of all of those things.

Moreover, in order to get data becomes more accurate you might consider adding things like these:

  • Anchor text if you want to analyze your internal and external anchor text.
  • Google Search Console click-through rates for some of the keywords here and add that data in. We all know Google Search Console, not phenomenal data, but sometimes can be useful.

If you’re trying to prioritize a big keyword research function, you might have more keyword-driven metrics, like the things in Keyword Explorer:

  • Keyword difficulty
  • Click-through rate opportunity
  • Important Score, your custom Important Score, your potential. You might order these differently based on those kinds of things.
  • Page level conversion rate. How much does this contribute to content that converts on my site? How well does it convert directly? Those types of things.

Proceed to the Route

So, what are the benefits that SEO cartography may provide to you?

  • Identify keywords that have no content mapped to them
  • Identify on-page opportunities to improve
  • Identify content without intentional keyword targeting
  • Identify link building needs
  • Prioritize and focus your work

5 Tips for Ergonomic Mobile Interfaces

mobile user interface

Ergonomics design has been very popular in design world recently. No wonder, every good web designers or graphic designers will absolutely considering the ergonomic design when it comes to mobile design interfaces.  But do you know what ergonomic mobile interface is.  Ergonomics has always been very important to industrial designers, but it’s becoming increasingly important to digital designers since we no longer use a keyboard and a mouse, but we use more physical activities, such as tap, pinch or stroke them.

This new physical activities demand designers to not only think about how a design looks and feels, but also the physical aspects of using it. So, how can we create a mobile design that is comfortable to use as a result of being ergonomic.

  1. Design for Multiple Holds

If you keen enough to observe how people hold their mobile devices, you will discover that they use variety of different holds. Therefore, creating a design with multiple holds in mind is important. For example, you need to test your designs out across a range of holds to see how comfortable your design on each of them.

  1. Design for Thumbs

Thumbs is the most used body parts when it comes to gadget. In fact, thumbs drive the majority of all smartphone interactions. This is because thumbs are exclusively used when a mobile is held in one hand and heavily used when it is held in two hands. Therefore, you should create tag targets which are slightly bigger than your fingers. A good tap targets should at least 44 x 44 points (16x16mm), with at least 7 points (2.5mm) between them. Bigger target is always better rather than the smaller one. However, if you still want to make a smaller target, you better not go any smaller than 44×30 points (16x11mm). This size can be used as a standard in making tap target in any device.

  1. Place Popular Controls in Reach

Locating links and buttons in easy to reach place will ease your user interactions. The middle and bottom is the most favorable place to locate any controls, buttons, or links. Moreover, you should be careful when placing the menus at the bottom corners, since it will easily lead to a tricky tap, especially when a device is being held in only one hand.

  1. Place Content above Controls

To prevent any disruption or halt when you are playing the content as they tap the screen, always try to place content above controls. Moreover, you also need to put key information outside the screen area to avoid any finger or thumb’s disruption.

  1. Design with Portrait Mode in Mind

Although, you can choose either to use smartphones vertically or horizontally for the majority of the time, horizontal is usually used for particular tasks, such as viewing videos or photos. Of course a mobile design should ideally support both vertical and horizontal modes, but unless you are designing a video or photo-heavy site or application, please always design with portrait mode in mind.