Giters

rubynor / bigfive-web

Website for taking personality tests

Home Page:https://bigfive-test.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security Question: Client- VS Server-side

HackersCardgame opened this issue · comments

commented

Hello BigFive-Web Team

first: thank you for your free open source app for the public to take a BigFive Test

I have some Questions about security:

Premises:

  • Psychology Test should be treaten as medical data
  • I looked at the source code briefely, it seems to be a database that stores the result
  • furter the IP in Apache2/NGIX is anyway logged with this unique identifier in my case 63be6d73b56fa70008dcd39d
    => so you will have the TestID linked with an IP in all cases

so why not calculating / drawing the result or the complete test on the endpoint of the person to be tested?

Therefor you would need a STRUCT (like in C) or an small json that could be translated to BASE64

STRUCT:
BigFive: 5x Parameter      =  +5 Bytes
each has 6x SubParameters  = +30 Bytes
1x UX Timestamp = long     =  +8 Bytes
                             =========
                             ~40 Bytes (for the use case "BigFive Test")

which will result in something like MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=

if you would use a # instead of / or ? everything would be done on client side

https://bigfive-test.com/result/63be6d73b56fa70008dcd39d
                               ^
https://bigfive-test.com/result.js#MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=
                                  ^

to keep the data not in the database but in the URL and only on client side because things after # will not be transmitted to the server and you can fetch the BASE64 in the displaying javascript with window.location.href and then draw the graphics with javascript on client side

also in an older version the ? operator is used and the graphics is calculated in the php file is not optimal in my opinion

https://openpsychometrics.org/tests/IPIP-BFFM/results.php?r=3,7,3,3,3.1#_V
                                                         ^

or maybe also as QR Code

Benefits:

  • Interoperability between Websites with different Databases
  • there would be no need for a database anyway
  • customers IPv4/IPv6 is not linked with his "medical record"
  • customer does not give his data to unknown people

Disadvantages:

  • you can not use the customers data on your server / additional apps

=======

Further a view like this from the Facebook variant of the BigFive test that was removed would be better to compare two persons with one blink
FiveLabsVariant

since this would not be a security thing but an idea / feature request please tell me if i should move that to another issue

With kind regards

Marc jr. Landolt
eidg. dipl. Informatiker HF
Neuenburgerstrasse 6
5004 Aarau