GuideStar APIs and cross-site scripting

Document created by JackCowardin Administrator on Mar 20, 2017Last modified by JackCowardin Administrator on Mar 23, 2017
Version 4Show Document
  • View in full screen mode

Accessing GuideStar APIs from client side scripts in javascript is problematic because a direct call to a GuideStar API from a client machine represents cross-site scripting.

 

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

wikipedia.org -Cross-site_scripting

 

For GuideStar APIs, it is not possible to prevent the discovery of API authentication details when APIs are accessed from a site other than the original site that serves up the web page or application. If client scripts contain authentication information, then those credentials could be used by other parties to make API calls. These unauthorized API calls would be the responsibility of the user whose key or username/password pair have been compromised and charges might be assessed to the owner of the key. The diagram below shows the problem:

 

Diagram of Javascript API request fromm a client.

A mechanism called Cross-Origin Resource Sharing (CORS) gives web servers cross-domain access controls, which enable secure cross-domain data transfers. Modern browsers use CORS in an API container - such as XMLHttpRequest or Fetch - to mitigate risks of cross-origin HTTP requests. Although CORS is a standard recommendation by W3C to overcome same origin policy, due to our additional security requirements we require that all API calls be made from the origin server. This way, username/password and/or API keys remain secure on both ends.

 

The solution for applications that need to access GuideStar APIs from a client application is to create a process on the originating web server that accepts web requests from the client and then makes the call to the GuideStar API. When the data is returned to the originating server, it is then re-routed to the client.

 

The diagram below illustrates this approach:

 

API proxy call diagram

Javascript users who face this issue may find these links helpful:

 

https://jvaneyck.wordpress.com/2014/01/07/cross-domain-requests-in-javascript/

 

http://wpquestions.com/how_to_bypass_Access_Control_Allow_Origin_with_javascript_only/8737

 

Attachments

    Outcomes