#Is it possible to ban an IP?

This morning a user managed to bypass the security of my site and began to execute a function that I have in my appwrite many times, I don't understand how the hacker managed to modify the payload that is sent to the function, but I blocked his account and it seemed to stop for a few minutes, until it started creating multiple accounts, blocking and blocking but it just won't stop...

Is there a way to ban your IP?

I'm still investigating everything he did, but when I have more information about what happened I'll share it here, especially the part where this user managed to modify the payload that is sent to the function.

You would ip ban via firewalls on your server.

If this is a function that is executed by a user, they're always free to send whatever payload. That's why server-side validation is important

Thanks Steven, I managed to find a tool to ban ips with my provider, let's hope it doesn't register again with a VPN or something...

I didn't know that they could modify the payload, I'm adding a couple of validations on the function at the moment, hope that works, but how could they modify the payload?

Why you don't have set permissions if the function should not be executed by all users? 👀

Since the payload is generated from client side it's as easy as making an API request with custom parameters. That's why using permissions instead of checking payload, etc

All requests coming from client side can be always changed in all apps. Some of them easily, others more difficult, but still possible

It's more a generic issue

Interesting... the permissions that this function had were for "All Users" to create

The client side had other validations in the code, and I am surprised that they also managed to skip those.

I have a document for each user in a collection called plans, and it has a limit of how many times that function can run and this user managed to exceed the limit.

Let's say it is an if (plan.count >= plan.limit) then stops the user executing that function

That validation is in the code, client side, did the hacker manage to modify the code?

Or did he simply see the network tab and see the parameters that were sent in the post and manage to modify them in some way?

What are those validations?

Yes, modified the code. That's easy. You should do the count server sided so it cannot be modified

With a function you should perform the count or apply some kind of rate limit

The most important validation of the code is that the user's plan document, its limit is not exceeded.

I will attach a photo, the purple circle is the limit and the red is the number of times that user ran that function

This user managed to execute 442 times on his last account, evading that code validation

Another thing that is very strange is that in the plan document it says that he executed that function 442 times, however the function has 4000 executions, it is as if the user managed to not count the number of times the function was executed

Do you know how I can modify the code? I would like to modify the payload of the function or modify the code to try to replicate what this user did

Are you sure that's not a bot? 😅

So you're counting how many times the function gets executed?

Usually with browser dev tools

real user, that managed to make a kind of while loop that executed the function hundreds of times, I guess...

yes

like some extension?

Nope

All browsers have it

Could you please explain further what limits on executions you're trying to achieve client sided?

So I can guide you to achieve the same server side securely

Sure the only 2 limits I have are to check if the user plan has expired, if it is expired you cannot execute that function.

If it is not expired, then it checks if plan.userGeneratedCount >= plan.planGenerateLimit and if it is correct then it gives it a toast that says it has exceeded its limit

I think there are 2 things that could easily be put inside the function code

I think he definitely modified the code in the browser, I'm checking one of the 4000 executions of the function and it has things that only a plan.planType == "admin" could see and put in the payload of the function

Its crazy that someone can modify the client side code, even if I add those validations inside the function code, how can I prevent it from modifying the code in the browser for now?

How do you get or generate plan.status?

The "plan" is a document that each user has that is created at the time of registration and has an attribute called status and that attribute by default is active, however when a user purchases a plan and 30 days pass and does not renew, the status is now changed to expired

So there's no hard limit on the amount of executions in such period?

I think you should have a function that gets triggered by cron and changes status

I have not yet set a limit on the number of executions, it's bad for me not to have planned it that way, but right now I will do it

Yes, I think in your case you should do it to prevent abuse, and as said, changin status with a function instead of client sided

Continuing this case, I am creating functions for each operation that has to do with a post or patch request in my application to put validations within that function, to prevent a user from modifying the payload again so it has to go through extra server side validations

However, while testing, I noticed that if I modify the POST payload when creating an account and change the ID of unique() to a "1", for example, it is possible to register a user with the ID of 1, the ID shouldn't it be assigned automatically on the server side?

how can I prevent someone from creating an account with the ID they want? or do I also need to create a function that anyone can run that creates the user and assigns the ID on the server side?

Passing unique() is what causes appwrite to autogenerate the id. How does a custom id affect your functions/business logic?

You can perform the assign server sided with a function

As I said, to prevent it from being modified

I'm still genuinely curious about how custom ids are a security risk. The id of a user or document is pretty much public so whether it was custom or autogenerated an attacker can still find out the id.

It is public and I think it is not a security risk, even so, for my webapp I dont want anyone to be able to modify the payload of creating an account and give themselves IDs of "1" or "69" or whatever

I was thinking of also making a function for that, but within the appwrite docs, I can't find where accounts can be created. If I change to "Platform: NodeJS" the "create account" disappears, but if I put something like "Platform: Web" appears again

Is it possible to create accounts using node-appwrite?

Ok, got it. Then all you need to is have a function override the id field and set it to "unique()"

Accounts docs are for the client sdks for servers checkout the Users docs
https://appwrite.io/docs/references/cloud/server-nodejs/users

thanks Ernest I'll take a look