If your user is making multiple requests to your app through firebug, s/he can already see the URI that the Orkut proxy would hit. So, there's no reason the attack wouldn't shift to bypass the makeRequest layer altogether - in fact, it would be faster if it did skip makeRequest. OAuth verification could cut that possibility out, but that's still being done with your CPU time.
However, this scenario seems really far-fetched to me. If a single user can generate enough traffic from firebug to cripple your site, it sounds like a scaling problem on your end. There's a practical limit to the number of instances of firebug on person could control against you and therefore the number of requests-per-second sent, so I'm really having a hard time finding this as plausible. The traffic from a few hundred thousand users is much larger than any 1 user could generate through a firebug console. Obviously the only real solution in any of these cases is to implement whatever scaling & protection you would for a normal website/web service, on your end. On Feb 20, 7:24 am, Prashant P Patil <prashantpandurangpa...@gmail.com> wrote: > Hi > eduardorochabr > > Try to add some session data so your server can get only that request > with session data value! I don't know that will work but if you are > using any fetch request with your app then most time apps data is > getting cached i.e even on users request it will display same value > for say linkhttp://www.sample.copm/fetchthis.php > if you are fetching > http://www.sample.copm/fetchthis.php?rand=somerandomvalueeachtime > then this will affect on your server! as its treated as new url and > not cached URL > > Regards > Prashant! > On Feb 18, 9:49 am, eduardorochabr <eduardoroch...@gmail.com> wrote: > > > If a malicious user opens the application with Firebug and starts to > > make several calls to makeRequest, this could be considered a denial > > of service (DoS) attack. > > > Does the API itself has some protection against this? That is, the > > question is whether the Orkut container identifies too many calls from > > a single viewer, it handles in a way that protects the application. > > > Or do I have to implement this myself? > > > Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Orkut Developer Forum" group. To post to this group, send email to opensocial-orkut@googlegroups.com To unsubscribe from this group, send email to opensocial-orkut+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-orkut?hl=en -~----------~----~----~----~------~----~------~--~---
