I am currently trying to write a Windows Phone 7.1 Application that allows you to access Coursera class information, including streaming lectures.
I want to be able to also allow users to download lecture videos a slides (PDFs). Unfortunately the files are protected. This isn't normally isn't an issue. I have my ClientHttpWebRequest set up to use a CookieContainer. This is all well and good.
The fun comes when trying to use a BackgroundTransferRequest to download the assets. The class doesn't allow you to supply a CookieContainer instance for cookies. This means that I have to set the values using BackgroundTransferRequest.Headers.
Coursera returns its session cookie as an HttpOnly cookie. Unfortunately, the ClientHttpWebRequest doesn't allow you to access HttpOnly cookies from the response and, by proxy, means I can't read the session cookie from the CookieContainer either.
Is there anything obvious that I'm missing out there that will allow me to access the value that I'm interested in or do I need to come up with my own Background File Transfer infrastructure?
No, you're not missing anything. This is a gap in the SDKs offering.
I can think of 2 possible alternatives though.
Have the app run under the lock screen and handle the downloads yourself. - This is how we had to do it before background file transfer was available.
Have your own proxy server that sits between the app and the other site which can handle the cookie side of things for you and make the files available direct to the app. Obviously there are probably important security considerations to take into account before adopting this approach. There may also be additional costs for running and maintaining the server.
Related
Question: If I have an untrusted, user-supplied URL to a file, how do I protect myself against server-side request forgery when I download that file? Are there tools in the .NET Framework (4.8) base class library that help me, or is there some canonical reference implementation for this use case?
Details: Our web application (an online product database) allows users to upload product images. We have the requirement that users should be allowed to supply the URL to a (self-hosted) image instead of uploading an image.
So far, so good. However, sometimes our web application will have to fetch the image from the (external, user-supplied) URL to do something with it (for example, to include the image in a PDF product data sheet).
This exposes my web application to the risk of Server-Side Request Forgery. The OWASP Cheat Sheet documents this use case as "Case 2" and suggests mitigations such as validating URLs and backlisting known internal IP addresses.
This means that I cannot use the built-in methods for downloading files such as WebClient or HttpWebRequest, since those classes take care of DNS resolution, and I need to validate IP addresses after DNS resolution but before performing the HTTP request. I could perform DNS resolution myself and then create a web request with the (validated) IP address and a custom Host header, but that might mess up TLS certificate checking.
To make a long story short, I feel like I am reinventing the wheel here, for something that sounds like a common-enough use case. (I am surely not the first web developer who has to fetch files from user-supplied URLs.) The .NET Framework has tools for protection against CSRF built-in, so I'm wondering if there are similar tools available for SSRF that I just haven't found.
Note: There are similar question (such as this one) in the ssrf tag, but, contrary to them, my goal is not to "get rid of a warning", but to actually protect my system against SSRF.
Confirm the requirement with the business stakeholders. It's very possible they don't care how the file is obtained-- they just want the user to be able to specify a URL rather than a local file. If that is the case, your application can use Javascript to download the file from the browser then upload it from there. This avoids the server-side problem completely.
If you have to do it server-side, ask for budget for a a dedicated server. Locate this in your DMZ (between the perimeter firewall and the firewall that isolates your web servers from the rest of your network). Use this server to run a program that downloads the URLs and puts the data where your main application can get it, e.g. a database.
If you have to host it on your existing hardware, use a dedicated process, running in a dedicated application pool with a dedicated user identity. The proper location for this service is on your web server (not application or database servers).
Audit and monitor the security logs for the dedicated user.
Revoke any permission to private keys or local resources such as the filesystem.
Validate the protocol (http or https only).
To the extent possible, validate the IP address, and maintain a black list.
Validate the domain name to ensure it is a public URL and not something within your network. If possible, use a proxy server with public DNS.
Is anybody knows how to share cookies between 2 windows users?
I have a Windows 10, where have 2 users: one is admin and second is operator.
Admin is logged in into the system and then goes to the web site, where setup some config. In this config we have some specific value which should be store locally in machine and operator shouldn't know nothing about it. So he is set some kookie { someKey: someValue } and then log out from Windows.
After this operator log in into Windows and open the same website and he should have access to this cookie { someKey: someValue }.
I search around we and found nothing about it. Found only solutions about save to file system, send via tokens and save MAC address with a value into DB. But this is not suitable for me. I know that share cookies and store locally isn't secure, but need to implement that feature.
Web project based on chrome browser, asp.net mvc, angularjs and ms sql for db storage. Is anybody can help me with this issue about cookies?
There is no way to do this. First, every browser has its own way to store and retrieve cookies. It is impossible to write something that will work for any platform and any version.
Second, there is security. You can't just copy some files and expect this to work. Browser developers aren't stupid to leave such a big security loophole in their software.
You are mixing Windows applications with full control over the system with a web application that only resides within the browser. You should find a better way. You could use a certificate installed on the machine to validate the user, but it seems to me there are better options, like simply logging in, etc.
Cookies are a browser component that all major browsers locate in user specific directories. if you could change it to HTML5 storage API and you could setup the storage to a folder both users have access (dunno about this). You could have client side shared data. Most probably, you could not. And certainly not using cookies.
Disclaimer: I havent used storage API
Edit: Just checked. Storage API does store the data un user specific folders, so cannot use it either.
"In practice, "client-side storage" means data is passed to the browser's storage API, which saves it on the local device in the same area as it stores other user-specific information, e.g. preferences and cache. Beyond saving data, the APIs let you retrieve data, and in some cases, perform searches and batch manipulations." Source: https://www.html5rocks.com/en/tutorials/offline/storage/
As far as I know, when I developed a console app using YoutubeAPI to create live events for streaming, youtube required me to choose the account which was enable live streaming to put live events on.
But when I developed a website app using that API, even though I opened icognito browser to create live events, it still used my first account in Chrome to create live event.
I wondered if there is some way to make this API to select user like what happened in console app.
I think it is because of the client_secrets.json but I don't know how to fix it.
I am using C# to develop
All of the Live Streaming endpoints require OAuth, you must be authenticated as the user you wish to stream live with. You cannot stream on another user's behalf unless they have logged in and provided a valid OAuth token to use for your requests.
I have a .NET a web app that i built for files processing .I am using IIS 7 anonymous user authentication , i also did not require the users to log in, so pretty much any user who has access to the intranet can access the web app.
The users said when two of them try to run their files on app at the same time they receive an error( did not specify it).
My question is :
If i use anonymous authentication is it by default every user will have his\her own session while accessing the app?
Yes, by default every user will have their own session. And anonymous authentication is the default scheme for the web. It is unlikely that any web server, by default, would only allow 1 anonymous user at a time.
Most likely, if your app is doing file processing, you may be dealing with file locks and not an issue with IIS. You want to make sure that your code is written so that, if two or more people access it simultaneously, they can not request to same file. Also, you need to make sure that you are properly closing any file streams you open, even in the case of exceptions. Without seeing the code in question, it would be difficult to impossible to give more specific guidance, but hopefully this will help point you in the correct direction.
Install Elmah to get error report of ypur app!
I'm using an IHttpHandler to deal with my downloads. It streams out the file.
However, this handler needs to compare a token to one that is stored in the session. Therefore, it uses IRequiresSessionState.
The problem is now: as long as IRequiresSessionState is there, the user cannot keep on navigating the website, while a download is running.
Is there maybe a different approach than using a handler, which would solve my problem (I still need to be IIS6 compatible, but if there's a solution for IIS7 only, it would still be okay)?
Note that I cannot change the session check. I have to access the session.
There are so many things in .NET and IIS I have not discovered yet, maybe there is some functionality one could use.
Cannot you just redirect the request to another handler with the token in the URL so that it doesn't need to access the session any more?