In order to use C# 6 features (like ?.) in a .cshtml file under MVC5, you need to include csc.exe and related files in your website's bin folder when you deploy it. Ok, I can understand the reasons for that.
However, this now means that there's a full C# compiler sitting on my webserver, with the same permissions as the website user. This makes me hesitate - in theory, an attacker could use it to run arbitrary code as if it were my website.
Is this actually a valid security concern?
I can see both sides: On the one hand, it's possible that you'd need the ability to execute arbitrary code already in order to be able to pass arbitrary code to the csc executable. On the other hand, I can see access to it being used to get access to internal website settings (like database connection strings) by running code that we'd never want to write.
Should I be concerned, or is this considered safe?
As I understand it, MVC Razor views are in effect arbitrary C# code, which is recompiled on demand after any change.
So any hacker with access to the website server can run arbitrary C# code, in any version of MVC.
I agree it feels like a risk, because it is, but on the other hand you get the advantage of being able to change Views without republishing the whole website.
Related
I would like to turn one of my form applications into a web form using ASP.net (C# backside). It is my understanding that the App_Code directory will protect code behind if the classes are underneath the directory.
How safe are classes under this directory? Are they somewhat safe against people stealing the source?
I know with .net form applications you can run the reflector software on them to get the full source... unless you obfuscate the file (to make it more difficult).
Classes (or files) in the App_Code directory are compiled into an assembly with automatically generated name. Even if you deploy a non-precompiled Web Site, it will be automatically compiled during first run.
In addition, App_Code (as well as App_Data, etc.) is not available by a direct URL. E.g. it is impossible to get any file using the following URL:
http://mywebsite.com/App_Code/KnownFileName.cs
Moreover, IIS has many filters that prohibit requests to *.ascx, *.asax, *.cs, *.vb, *csproj, *vbproj, *.mdb and many other files. See Request Filtering feature in Web Site settings in IIS Manager for details.
So, your code is in safe unless you changed default ASP.NET or IIS settings.
I'm refactoring a WPF application and dealing with cleaning up storage of settings. I've re-written most to use the application's settings (Properties.Settings.Default) and this technically is working right now it seems to generate rather ugly paths in the %appdata% folder such as:
C:\Users\me\AppData\Local\Company_Name_With_Underscores\program.exe_Url_xs3vufrvyvfeg4xv01dvlt54k5g2xzfr\3.0.1.0\
These also then result in a new version number folder for each version that don't get cleaned up ever unless apparently I manually do so via file io functions.
Other programs don't seem to follow this format, including Microsoft programs, so I'm under the impression this seems like one of those 'technically the best way but not practical so nobody uses' solutions. Is this the case or am I missing something to make this more practical?
I ask mainly because I can foresee issues if we ever have to direct a customer to one of these folders to check or send us a file from there.
I'm using .NET 4.0 right now.
I'm new to web programming and have a question about code behind in ASP.NET C#. How safe is it from someone seeing what's in it? The reason I ask is the program I'm linking this website to requires me to create an object that takes in my admin credentials (It does this in the background thousands of times or I would just prompt for creds). It uses the credentials to create things dynamically. I'm 99.99% sure this is highly unsafe to hard code my credentials into the page but I figured I would ask.
The code behind files and raw aspx files are protected from being retrieved by the web server, so as long as you control console and file share access to the server you are relatively safe.
Still, it is not considered really safe. You should set up the application pool of the site to run under a specific account and then give that account the necessary rights. Having services using ordinary user accounts is considered bad practice. Each service should have its own account, with least possible rights.
ASP.NET pages are compiled before sending the page over HTTP. This is secure. But if the user can access the file system, you have another problem on your hands.
You should put your credentials in your web.config (or you can move them into separate files like AppSettings.config or ConnectionStrings.config etc). The server will should never serve these.
This might be helpful:
http://msdn.microsoft.com/en-us/library/4c2kcht0(v=VS.100).aspx
This tells you how you can can go one step further and encrypt these so they do not store plain text password etc:
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
It is "safe". IIS (by default) does not serve up .cs files.
Another option is to precompile the site and then just drop the .aspx files on the web server.
Putting sensitive information into .cs files in ASP.NET is by default not a risky process as ASP.NET does not give access to .cs files from the client side (if you don't change it explictly), however, be sure that if there is a server error, custom errors reporting mode does not send the lines of the code to the client (which is extremely useful when debugging, and extremely risky when you release it to the public) or anyone may be able to read your sensitive information if an exception is thrown near those lines.
There are various levels of "safe" here.
Yes, IIS is configured to not serve up .cs files or .config files. That said, there are attack vectors which have proven successful in getting IIS to deliver those files into the evil doers hands.
First off, I wouldn't deploy .cs files to the server. If possible convert the web site to a web application and deploy it compiled. Of course, .net code can be decompiled (and here); so you should also look into obfuscation. However even obfuscated code can be decompiled but it's generally harder to read. ;)
Note that each level isn't really "secure". It just makes it more difficult.
The real answer is to not store the credentials on the server at all and require them to be provided by the client over an encrypted transport. Certainly you could cache them in memory, but even that has proven insecure to those with physical access.
At the end of the day, ask yourself how valuable the keys are and how much money/time you can invest in securing the system. There's usually a balance somewhere.
One of the other developers at my company wrote a .NET 2.0 web site. He stores everything...solution, project, source...everything inside of "inetpub\AppName" (the IIS share). I have never seen this done before. In fact I'm kinda surprised the website loads up in a browser. Are there any disadvantages to doing this over say...storing your solution in the visual studio 2010 projects folder and then publishing the website to inetpub (security, speed, etc)? Also, Why does this work?
It works because the site would be compiled on the fly. This is bad from performance point of view (because the late compilation) and it's bad from security point of view (you're exposing your code more than necessary).
From MSDN
Because ASP.NET compiles your Web site on first user request, you can simply copy your application's source code to the production Web server. However, ASP.NET also provides precompilation options that allow you to compile your Web site before it has been deployed, or to compile it after it has been deployed but before a user requests it. Precompilation has several advantages
There's really no reason it shouldn't work, but it's generally considered a bad idea. Is he developing directly on the shared site? That's scary. Even if he isn't, that's putting a lot of files on a shared site that shouldn't be there. The server may be configured not to return them, but one shouldn't get comfortable relying on that.
Even on his local machine, it's bad practice. If for no other reason than it doesn't properly mimic the published site and makes for a bad place to test things.
There's nothing special about the Inetpub folder—it's just the default web server root by convention. Nothing about it will prevent IIS from displaying ASPX pages if it's also part of a solution (which is only referenced in the project file's XML). You can also point IIS to the project directory in the Visual Studio Projects folder.
Storing userdata on C: is usually bad practice (specially for a programmer).
Most of us have a data partition that contains just userdata which is backed-up frequently or use a source repository on another server.
If you're on a secure LAN and just developing by yourself there is really no problem putting the solution in InetPub. However if you use the same IIS to publish to the world i wouldn't recommend it. You never know who might get to your precious gems.
I'd say it's bad practice. Your entire code is at the mercy of the web server. If the server is hacked the code is a freebie reward.
Why is it better to store data inside an appSettings element (or inside a custom section) of a web.config file than to store it in a class?
One argument would be that by using custom sections we don’t have to recompile code when we change data, but that’s a weak argument, especially if we’re using Web Sites, which get recompiled automatically whenever code changes!
Thank you
Because you can change it on the fly and use it without regard to class structure. Your configuration can vary from each developers machine to staging to deployment environment by changing and maintaining a single file independently of the code, and you can take advantage of *.config masking with different areas of your site.
Hard coding anything configurable is a recipe for failure and it absolutely will bite you - this is just a matter of experience, if you don't believe it then you have but to wait a little while!
By putting settings into web.config, you have them all in a centralized location.
Also when deploying a web site, you might want to precompile it once. So you won't be able to change the source afterwards (without another recompilation).
It's not really a concern of just recompiling the code, it's more about re-deploying the code. Normally, you don't deploy code to the web server, you just deploy the binaries and aspx/html files. If you hard-code your config data in the code, you'll have to rebuild and redeploy the library or application to get the change up to the server, which is a lot more work than just updating the web.config.
Putting data in the web.config file also allows the same code to be run in different environments with different environment-dependent data. This can mean running the same website code in staging with a test database connection string and in the production environment with the production database connection string. Or it could mean allowing the developers to configure the data for their own tests without changing any code, as 'annakata' mentioned.
It's just a WHOLE lot easier to manage and update the settings.
If you're using Notepad to do your development and putting the code out on the server, I would agree that there is little benefit, but if you're using Visual Studio and you build your website and publish it, you're publishing the pre-compiled dlls and not just updating text source code (.cs or .vb files) on the server. So when it comes time to update a setting at that point, anything in the web.config can be updated by simply modifying the text file, where as with other changes, you have to re-compile t whole web site and publish it.
And from experience, that becomes tricky when taking over after other developers that weren't careful about ensuring everything needed to make a web site work is in source control. I'm now stuck with a web site where we can't update huge chunks of it because of (kindly putting it) non-standard practices in the past.
Being able to update something without re-publishing the site is a huge blessing in my situation, and you never know who the poor maintenance programmer will be that takes over on your code.
Be nice to him or her. Make it easy to make simple changes.