tags:

views:

176

answers:

1
+3  Q: 

URL-Based API Key Restriction: How does validation works?

Hi,

I am interested to know how an URL-based api key restriction works, such as the one used by Google to protect its Google Maps service.

From what I understand from this article "Restricting Access to Ajax Services," there are two parts involved: first where the service creates a specific key for a given domain, using a one-way hash function; and second where the service validates the key based on the Referer header.

While the article is quite explanatory, I still have a problem trying to understand how safe is the validation method. I mean, if the key is checked only against the referer, isn't this quite easy to forge? I am thinking that a simple "127.0.0.1 www.mydomain.com" in the hosts file will be enough to trick the validation, and think that the referer is www.mydomain.com .

I might have misunderstood some things and a few clarifications will be appreciated.

+1  A: 

The "Limitations" section of the article you cite specifically mentions the possibility of spoofing the referrer.

Changing the host file might indeed be enough to forge your referrer, but only when you're accessing the site from your own computer. That means you can abuse the license only when testing locally. That's not very interesting abuse.

In order to publish your app, you'd need to spoof the referrer on everyone's browsers, unless you're using the API from a locally run executable, in which case you're probably in full control of all the headers.

Rob Kennedy  2009-06-21 15:24:57
I understand now. But, I think, if the API key is used to write data to a service, say like a analytics tracker such as Google's, somebody could use a modified header on their own computer to inject false data into the service. Practically I don't see too many forgeries of this kind, but theoretically it is possible, I think. Thank you for your time, your answer and for fixing my link.
ivb  2009-06-21 16:33:10

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?