In .Net web-service hosting the IIS and used for the desktop application while login the app the person track and see all the input calls to service and response back into app.
Then analysis the issue and go through google and got solutions. to make HTTPS or ssl in webservice url.also encrypt and decrypt also doing both client and server side.
after that i check with fiddler they also tracking the web services call and responses .even they can able to break and run the app using this.
I was tired and make the protect the webservice calls. and unable to achieve the what i need.
I also attached screenshot below for your reference.
Guys plz help me...if any otherway to protect the service calls in Fiddler.
I see no screenshot. But if I understood correctly then you are saying that fiddler can decrypt your traffic.
Well that is because fiddler imports fake certificates into windows certificate store and then proxies data through itself. That is why it can actually decrypt data. I don't really see a point to try to protect web calls from Fiddler. But you can force direct connection and try not to use proxies with your application. But then again... you won't be able to use any proxies
Related
I have a standard C# Web Api running on IIS that has a custom AuthorizeAttribute to properly authorize calls via a key in the request header variables. Recently, one of my clients calls to the API over SSL have started to fail with an 403 Forbidden error. He is successful when calling the non-SSL url.
The same call - same url, api key etc. works perfectly over SSL from my machine, and none of my other clients are having any issues with this. What could possibly be the issue for this specific client? I have checked some basic things like his client machine time settings etc. are all in order, not sure if this could be some kind of certificate related issue?
try the following:
1- check the proxy on his machine
2- since SSL is used to protect data and safety the data should not change in the way on the server. it could be changed by a virus on the machine (I have the same problem with one of my clients) make sure his system is clean
3- consider calling the API in other ways like (postman, browser, ...)
according to what you write clearly, there is something wrong with his machine. if you find the problem It would be nice to tell me too
I will try to explain it as shortly as I can.
We use 'proxy' for the connection.
The web service that I can try to connect is Oracle Weblogic.I have got the username and the password.
I can connect to the web service without any problem by using the progrqm soapUI.And on the program I choose this option.Becaue I can only connect to the web service by choosing this.
Authenticate Preemptively : Send Authentication headers with each request without first receiving an authentication challenge. This is a potential security hazard but will improve performance since only one request will be required for authenticated endpoints instead of two.
I can not connect to the web service by using C# winform.I made a lot of research but I could not find anything helpful.
Could you give me an example?
Please have a look at the sample here in connecting to a web service via C#. Or you can use a code first method. which ever suites your needs.
Happy Coding :)
I am building a client program that interacts with a WCF Service via Internet. Everything works as intended but I am wondering how I can protect my services so that only my client program can make use of it?
Right now everyone with the correct URL to my services can use it with WCFTestClient (e.g).
What is the best way to make it private so only my clients can make use of the service? Rotating token strings? Certificate? Password?
I have no idea and haven't found anything useful on the Internet.
Best regards
UPDATE: The client program is intended to be downloaded for the public (everyone). So it is not for internal use, it will be a service we are gonna provide, ones in official production.
My own thinking was like: Bind a certificate in my client programs (if thats possible even?). On the IIS where the WCF service is running, check for valid certificate. Is that possible? Or better solutions out there?
Protect .net Web Service URL
Along with the other answers, that can't be bad too,
and if you want to be super careful you can implement a token system, where the clients get the first token from you, each request returns a new token, and you always check a client vs it's current token (but that's being over careful in my opinion)
Update - because it's for the public, the client can have a way of generating a valid token to check on the server, you can have a token be valid for an interval of seconds, so even if people caught the request and found the token, it will not be valid after ..15 seconds or 30,etc
If you are using Form Authentication then you can leverage the ASP.NET to check for FormAuthentication Cookie by enabling AspNetCompatibilityRequirementsMode to Required
Or if your service is stand alone i.e is consumed by everyone then you can use oauth authentication you can read more about it Oauth Authentication
What you could do is there would be a consumer secret key which would be shared to all authenticated clients. The caller would sign some info using this key and server would also sign it using the same key and then compare it.
Hope it helps
I have an Https Web API hosted in Azure.
Now if I am making a call from console application, will the POST/GET data be passed in encrypted form or will I need to do anything in the console app?>
the reason I am asking is that if I use Fiddler, can see the data in clear text. Of course decrypt HTTPS traffic is checked
Similarly if the Web api is consumed from Android mobile app, does the app need to do anything to ensure that the traffic cannot be sniffed?
I am new to Https and security. Any help or pointer will be of immense help
I'd recommend making your Web API only accessible by HTTPS. And then, make sure that yoru Android app uses HTTPS. Also, ensure that if your Android app is presented with an invalid certificate that it will stop running and not send any data.
HTTPS should basically handle everything from a sniffing/MITM point of view. However, you must still have a secure authentication mechanism and such as well.
I have a .net web application that post data to server from javascript via jquery in association with wcf ui services. This enables a non post back modal.
Is it possible to encrypt the data being sent to the server so that using sniffing applications such as fiddler and firebug, the POST of the data cannot be viewed. I want to achieve this for security. The data will need to be read on the server side.
Any tips on this?
Any encryption performed by javascript on the client side will be reversible on the client as well. At best you could achieve some obfuscation for non-technical users.
Make the request to an ssl endpoint. The action would be https://something/action.
Setup IIS 7
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Setup IIS 6
http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm
Just use HTTPs. Whether its a "traditional" form or XHR SSL\HTTPS is possible.
Note that, with something like firebug (or Chromes debuger's network tab), you'll still be able to see the data... but that's because its part of the browser. An "external" sniffer, like Wireshark or a potential bad guy doing a man-in-the-middle attack, will not see the plain-text data on the wire (but will see encrypted data instead).