A workaround for all current Parse security features (CLP/PLP/ACL)

[DoneStuffGetting]

This post is about how secure the security features are in Parse Server/SDK. Awesome community. Love you guys!

I was hoping I could email someone about a security concern in using Parse Server and the SDK. Small gaps in security seems really scary now that I've gotten most of my service built. I'm not expecting Parse to be 100% secure, but just wanted to know if this was a real concern.

Thanks,
J

Sucks github removed their private messaging!

[flovilmart]

I believe if there is a security concern that could impact all users, this should be publicly discussed and solved no?

[DoneStuffGetting]

Is it possible to impersonate another PFUser via reverse engineering, random string generation, and injection? Or does PFUser verification for CLP/PLP/ACLs go beyond objIds and takes into account PFSessions/InstallationIds?

[flovilmart]

with every requests, the authentication is done by the session token. The session token is validated across the records in the database. If a token is found matching, we load the according user. otherwise, the request is marked as not authenticated.

See the logic here: https://github.com/ParsePlatform/parse-server/blob/master/src/Auth.js#L46

[DoneStuffGetting]

Thanks for the response and link. I was just being paranoid :) I thought logically that it wouldn't be so easy and that my gut/uninformed feeling was just wrong.

[mpc20001]

Hey guys I wrote an article on Parse Security - wanted to share it with everybody. Parse can be run securely.
https://www.back4app.com/docs/guest/parse-security

[flovilmart]

I’m not sure if you can, but if you want we can also publish on blog.parseplatform.org. It’s a PR away.

[mpc20001]

That would be awesome!!!

[flovilmart]

The blog repo is open and you just need to open a PR with your article, markdown formatted. If you need any help, feel free to reach out. Obviously, there should be a mention on the first line that it was originally published on back4app’s blog :)

[mpc20001]

@flovilmart do you have an email I can reach you at? wanted to discuss a few things with you.

[flovilmart]

Hit me up! Florent at flovilmart dot com

[mpc20001]

I sent you an email.

[flovilmart]

@mpc20001 I haven't received anything

[mpc20001]

@flovilmart i tried emaling you - try emailing me - viperxj7 at g mail dot com