I'm new to web programming and have a question about code behind in ASP.NET C#. How safe is it from someone seeing what's in it? The reason I ask is the program I'm linking this website to requires me to create an object that takes in my admin credentials (It does this in the background thousands of times or I would just prompt for creds). It uses the credentials to create things dynamically. I'm 99.99% sure this is highly unsafe to hard code my credentials into the page but I figured I would ask.
The code behind files and raw aspx files are protected from being retrieved by the web server, so as long as you control console and file share access to the server you are relatively safe.
Still, it is not considered really safe. You should set up the application pool of the site to run under a specific account and then give that account the necessary rights. Having services using ordinary user accounts is considered bad practice. Each service should have its own account, with least possible rights.
ASP.NET pages are compiled before sending the page over HTTP. This is secure. But if the user can access the file system, you have another problem on your hands.
You should put your credentials in your web.config (or you can move them into separate files like AppSettings.config or ConnectionStrings.config etc). The server will should never serve these.
This might be helpful:
http://msdn.microsoft.com/en-us/library/4c2kcht0(v=VS.100).aspx
This tells you how you can can go one step further and encrypt these so they do not store plain text password etc:
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
It is "safe". IIS (by default) does not serve up .cs files.
Another option is to precompile the site and then just drop the .aspx files on the web server.
Putting sensitive information into .cs files in ASP.NET is by default not a risky process as ASP.NET does not give access to .cs files from the client side (if you don't change it explictly), however, be sure that if there is a server error, custom errors reporting mode does not send the lines of the code to the client (which is extremely useful when debugging, and extremely risky when you release it to the public) or anyone may be able to read your sensitive information if an exception is thrown near those lines.
There are various levels of "safe" here.
Yes, IIS is configured to not serve up .cs files or .config files. That said, there are attack vectors which have proven successful in getting IIS to deliver those files into the evil doers hands.
First off, I wouldn't deploy .cs files to the server. If possible convert the web site to a web application and deploy it compiled. Of course, .net code can be decompiled (and here); so you should also look into obfuscation. However even obfuscated code can be decompiled but it's generally harder to read. ;)
Note that each level isn't really "secure". It just makes it more difficult.
The real answer is to not store the credentials on the server at all and require them to be provided by the client over an encrypted transport. Certainly you could cache them in memory, but even that has proven insecure to those with physical access.
At the end of the day, ask yourself how valuable the keys are and how much money/time you can invest in securing the system. There's usually a balance somewhere.
Related
In order to use C# 6 features (like ?.) in a .cshtml file under MVC5, you need to include csc.exe and related files in your website's bin folder when you deploy it. Ok, I can understand the reasons for that.
However, this now means that there's a full C# compiler sitting on my webserver, with the same permissions as the website user. This makes me hesitate - in theory, an attacker could use it to run arbitrary code as if it were my website.
Is this actually a valid security concern?
I can see both sides: On the one hand, it's possible that you'd need the ability to execute arbitrary code already in order to be able to pass arbitrary code to the csc executable. On the other hand, I can see access to it being used to get access to internal website settings (like database connection strings) by running code that we'd never want to write.
Should I be concerned, or is this considered safe?
As I understand it, MVC Razor views are in effect arbitrary C# code, which is recompiled on demand after any change.
So any hacker with access to the website server can run arbitrary C# code, in any version of MVC.
I agree it feels like a risk, because it is, but on the other hand you get the advantage of being able to change Views without republishing the whole website.
Kind of a quick question here, couldn't find the answer on-line.. and that could well be because it's a strange question.
I want to send data (basically strings/JSON) through a port that I have listening on a Linux server from a C# application. When the application talks to the server for the first time it must pass the correct credentials which are obviously meant to be secret. So when I compile this application are these credentials (username/password combo) safe? I guess not because I have heard of decompilers and the like. So in what way would you make this safe? Surely any application that has been compiled and connects to a public database or something similar must have the details stored in the executable somewhere.
Am I missing something blatantly obvious here, sorry for my ignorance!
No, they're not.
Broadly put, you can't ever assume that any data you ship to an end user in any form will be safe from prying eyes of some sort.
What are you trying to do in the first place? What are the security requirements?
For the application you have described, you should probably put the credentials in a file and set the permissions such that only the immediate owner can read the file. I would never recommend putting sensitive information into a file that anyone else can read, such as your application.
No. There are reflection tools that can show the code in your application. You can use tools that "scramble" your code (through obfuscation) and that can be somewhat effective, although not 100% secure
ASP.NET 2.0 introduced a new feature, called protected configuration, that enables you to encrypt sensitive information in a configuration file. Although primarily designed for ASP.NET, protected configuration can also be used to encrypt configuration file sections in Windows applications. For a detailed description of the protected configuration capabilities, see Encrypting Configuration Information Using Protected Configuration.
As of late, we started a pretty large project (C# XNA game).
It seemed to be pretty obvious solution to store all the files in a remote server, use a database for file "versions" and have the patcher download the newer versions and delete any archaic.
Now this is all nice in theory, we even found a service with the space for it (SkyDrive with the 25GB offer).
The problem came up when it got to file manipulations.
We're looking for:
Can programmatically download/upoad (for the patch maker) files to/from SkyDrive.
Has a secure way of containing uname/pass.
Allow me to explain both.
Thing is, we had to make the SkyDrive on my personal account (due to the 25gb offer only being there for old users). I'm not very happy with someone getting my password, even though I'll obviously change it to something completely archaic, they would still get access to most of my other hotmail/msn related stuff. (I guess it's a reason to remake it all then?). So if possible I would secure the actual uname/pass inside the program. Since it's .NET and is compiled on demand, (and can easily be decompiled) I'm having doubts real security in this case is improbable (if it is possible to secure please do tell me how).
On top of that, there's no efficient&official SkyDrive API. This means that there's an even bigger security hole (see previous paragraph) and the communication won't necessarily work as expected). This also means there may be slowness in communication - something bad if you have 1000 users downloading the same file.
So to formulate all of this:
What is the the proper way (read API) to use SkyDrive as a storage server for a patcher considering it's linked to my personal account?
small sidenote, if I must, I can be evil and get our slow artist to host the server
Edit 1:
The idea is to have anyone be able to download the client, but initiating anything requires an active account on our database. As such the files themselves don't have a problem being read by everyone. So I'll add the following: how to programmaticaly get direct downloads from SkyDrive if the files are public? The current links lead to their web UI. And I mean programmatically (maybe during upload time) as to avoid doing it all by hand.
This is a bad idea.
Given #1:
Use a public folder to store your assets and grant everyone access to it
Use httpclient to download the files from the public folder anonymously in your patcher client
Use the SkyDrive descktop client to synchronize the public folder from a 'build' machine
One of the other developers at my company wrote a .NET 2.0 web site. He stores everything...solution, project, source...everything inside of "inetpub\AppName" (the IIS share). I have never seen this done before. In fact I'm kinda surprised the website loads up in a browser. Are there any disadvantages to doing this over say...storing your solution in the visual studio 2010 projects folder and then publishing the website to inetpub (security, speed, etc)? Also, Why does this work?
It works because the site would be compiled on the fly. This is bad from performance point of view (because the late compilation) and it's bad from security point of view (you're exposing your code more than necessary).
From MSDN
Because ASP.NET compiles your Web site on first user request, you can simply copy your application's source code to the production Web server. However, ASP.NET also provides precompilation options that allow you to compile your Web site before it has been deployed, or to compile it after it has been deployed but before a user requests it. Precompilation has several advantages
There's really no reason it shouldn't work, but it's generally considered a bad idea. Is he developing directly on the shared site? That's scary. Even if he isn't, that's putting a lot of files on a shared site that shouldn't be there. The server may be configured not to return them, but one shouldn't get comfortable relying on that.
Even on his local machine, it's bad practice. If for no other reason than it doesn't properly mimic the published site and makes for a bad place to test things.
There's nothing special about the Inetpub folder—it's just the default web server root by convention. Nothing about it will prevent IIS from displaying ASPX pages if it's also part of a solution (which is only referenced in the project file's XML). You can also point IIS to the project directory in the Visual Studio Projects folder.
Storing userdata on C: is usually bad practice (specially for a programmer).
Most of us have a data partition that contains just userdata which is backed-up frequently or use a source repository on another server.
If you're on a secure LAN and just developing by yourself there is really no problem putting the solution in InetPub. However if you use the same IIS to publish to the world i wouldn't recommend it. You never know who might get to your precious gems.
I'd say it's bad practice. Your entire code is at the mercy of the web server. If the server is hacked the code is a freebie reward.
Why is it better to store data inside an appSettings element (or inside a custom section) of a web.config file than to store it in a class?
One argument would be that by using custom sections we don’t have to recompile code when we change data, but that’s a weak argument, especially if we’re using Web Sites, which get recompiled automatically whenever code changes!
Thank you
Because you can change it on the fly and use it without regard to class structure. Your configuration can vary from each developers machine to staging to deployment environment by changing and maintaining a single file independently of the code, and you can take advantage of *.config masking with different areas of your site.
Hard coding anything configurable is a recipe for failure and it absolutely will bite you - this is just a matter of experience, if you don't believe it then you have but to wait a little while!
By putting settings into web.config, you have them all in a centralized location.
Also when deploying a web site, you might want to precompile it once. So you won't be able to change the source afterwards (without another recompilation).
It's not really a concern of just recompiling the code, it's more about re-deploying the code. Normally, you don't deploy code to the web server, you just deploy the binaries and aspx/html files. If you hard-code your config data in the code, you'll have to rebuild and redeploy the library or application to get the change up to the server, which is a lot more work than just updating the web.config.
Putting data in the web.config file also allows the same code to be run in different environments with different environment-dependent data. This can mean running the same website code in staging with a test database connection string and in the production environment with the production database connection string. Or it could mean allowing the developers to configure the data for their own tests without changing any code, as 'annakata' mentioned.
It's just a WHOLE lot easier to manage and update the settings.
If you're using Notepad to do your development and putting the code out on the server, I would agree that there is little benefit, but if you're using Visual Studio and you build your website and publish it, you're publishing the pre-compiled dlls and not just updating text source code (.cs or .vb files) on the server. So when it comes time to update a setting at that point, anything in the web.config can be updated by simply modifying the text file, where as with other changes, you have to re-compile t whole web site and publish it.
And from experience, that becomes tricky when taking over after other developers that weren't careful about ensuring everything needed to make a web site work is in source control. I'm now stuck with a web site where we can't update huge chunks of it because of (kindly putting it) non-standard practices in the past.
Being able to update something without re-publishing the site is a huge blessing in my situation, and you never know who the poor maintenance programmer will be that takes over on your code.
Be nice to him or her. Make it easy to make simple changes.