App.Config Security in WPF - c#

I am creating a WPF project, and deploying it using ClickOnce. Since the .xbap file is downloaded to the client, and run it from the client machine the client can edit the file and do anyting they wants. That is, if the App.Config file of my WPF appliaction is downloaded along with the .xbap file, and I use some settings to control the behaviour of the application, or use some info like my service detauls, and the user goes to the downloaded location and edits those details they can do anything with it. I have tested this, and this can be done. I have singed my assebmly and manifest with a .pfx certiciate
Since I have signed my assemsbly/manifest, if I perform the same action in the server, the application shows an HashVerification error. Why doesnt this happen in the client side. I think, this is far more important to work in client side then on the server side.
What is the work around to stop users? This could be a serious security issue for many apps. I think this can also be done with Silverlight apps, as it behaves same (not sure if I can paste my modified .xap file to Temporary Internet Folder).
Thanks

Never trust a client.
Whatever you are trying to prevent, expect the user to be an administrator and ready to hack your application.
If you have something to hide (password, connectionstring, ...) do not pass it to the client, keep it on the server.

What is the purpose of settings that cannot be changed by the user?
If you want these values to be constant in the deployed code, then I would consider making them constants or resources.

Related

Replacing Click-Once with another installer that supports non Windows Security

I currently have an in house C# app that is delivered via click-once. I'm moving to the cloud and would like to have the Click-Once delivered from there (will be accessed from multiple countries and I can't use IP ranges to block out intruders), but it appears that the only way to secure the download is using windows security which is not an option for my clients.
I'm looking for a nice way to deliver the initial software and then keep the clients updated.
I've heard about WIX but I can't seem to find any information around updates from the internet and it.
Does WIX support this? If so can someone point me at an example or reference?
If it doesn't support it is there another solution someone can recommend?
Here is my usage scenario:
- User logs into a website supplying credentials, (username/password or certificate) then has the ability to download and install the application.
The application must check on startup of the app for a new version and if there is automatically download, install then run it. (would be nice if the user must resupply credentials for the update but not a necessity)
Bonus points if it will work on any web server such as a simple Node.js implementation.
WiX Only handles the installation via the bootstrapper or MSI you have generated, so I would assume that it's most likely a windows installer setting of some kind when it is first created. The element ClickThrough is supposed to be able to handle this scenario, though I don't know much about that.
The way my work colleagues dealt with this is by using IIS and an ASP.NET web service, along with a DLL that has methods to check with the web service if there is an update, and then prompts the user about the update and asks if they wish to update (did I say update enough in that sentence?).
Hope this helps.

Where are all the places needed to change a host name for a web service call

I am using VS 2012 under windows 7x64. I have a winforms application that makes a webservice call to a Java (JBOSS) server. On the client-side I created the connection using Add Service Reference. Everything was generated properly and the communcation between client and my development server works. Now, I would like to point my client at a different server for QA purposes. I researched this and found I should change the app.config, specifically the endpoint address:
<endpoint address="http://devserver01.mydomain.org:80/af-afejb3/TransmitWS_003" ...>
I did this and it seems to work but my question is around other places I may need to change. I did a text search of my entire solution for the old dev server name (devserver01.mydomain.org) and found it still existed in several places including:
configuration.svcinfo,
configuration91.svcinfo,
configuration91.svcinfo,
TransmitWS_003.wsdl,
Reference.svcmap
My thinking is that these files must not matter but I am uncomfortable seeing the old server names within certain files still in my codebase. Are the above files throw-away files that I should not commit to version control? I certainly like the idea of making a simple change to the app.config and this does feel right but I want to be sure. Is the app.config the only place?
thanks

Run .exe on client system from server-side c# code

I want to run an exe on client system from my c# asp.net website. When I use Process.Start()
it throws an error:
The requested operation requires elevation.
How do I set permissions to run that exe?
You can't spawn processes on the client machine from server-side code.
When you use Process.Start in server-side code, it is attempting to execute the process there, on the server where the website is hosted. If you wanted to create processes on the clients computer then you would need to expose a download for them (and not in employing subterfuge, like malign sites might do to install software - supply it gracefully, and normally (and with permission)), or a Silverlight application or something along those lines.
The bottom line is that the code you want to execute (even if that is just to spawn a process) must reside on the client, and be executed there.
You can't run an application from a web server like that. You will have to have the user download the application by supplying the EXE, a setup file or using ClickOnce.
Or you can develop an ActiveX control that you can have the browser automatically download from a Trusted Internet Zone.
Once downloaded, proper signing with a certificate (signed from the trusted (corporate) root certificate) will avoid the user getting a prompt to ask whether he wishes to allow the ActiveX control to install/be activated -
The ActiveX control can subsequently do anything the interactively logged on user could. This means that to actually install a program you'd need to elevate (UAC on Vista+); But if the goal was just to run a standalone executable, you should be good to go.
This all assumes white-hat purposes in a (larger) corporate setting, because it relies on PKI infrastructure and central browser policies, to name just two.**
This would, really, lead to some excellent questions on serverfault or superuser
I noticed you said you wanted to run an exe file on the client, but you didn't say explicitly that the exe is on the server and you want to push it to the client. Everyone seems to be assuming that is the case.
You CAN accomplish this fairly easily with a small JavaScript if you have a few prerequisites:
The executable is already present on the client machine.
All of your clients are running IE
You can enforce a policy to put your site in the Intranet or Trusted
Sites zone.
So basically this means it's a corporate intranet application. I am assuming this is probably the case since, well, if you were expecting to do this with a public app, I would be surprised.
For the script to accomplish this, please see my answer to this question:
How can I get a program on a client machine to run from an ASP.NET page?

saving a text file in client side without asking for permission any time

I need to save a text file on the client side possibly without permission. The case is that I need to save this text file in a shared folder in this or in another machine in the lan. This text file is going to be read automatically by the fiscal printer which will print the fiscal invoice. I have a asp .net web application and the server is not on the same lan with the fiscal printer, so I have to write it on the client-side. Any idea how to do this without asking to the user every time for the security issue.
I need a cross browser solution.
I can accept a solution like, the client is asked only one time a the first printing, but not every time he wants to print a bill. Some kind of asking permission to the client for allowing this website, in order to not repeat the permission asking.
Obviously - this would be a major security breach to download files to the user's computer without them knowing. All browsers have precautions in place to prevent this from happening.
No, you can not do this. Saving a file to a computer without permission in a public folder is not allowed.
You can, however, have your Client install your application which will have the ability to read and write where you want.
A common way that Trojan viruses to this is by giving the Client some goofy program to run that displays a fireworks show or something else quite trivial. While the Client is busy wondering what he's looking at, your virus is installing quietly in the background.
Now, you are probably saying to yourself, "But I am not installing a virus." However, there is no way for a Browser to know if your application is a virus or not. That is why it is not allowed and why you can not do it.
The more applicable scenario for me is:
1- Do your work inside your web application.
2- Get the information that you need to print.
3- Send it to another computer directly (or to a hosted web service) and this computer will act as a host for these files.
4- let your server access this shared folder, and print what you want
You could use a cookie, which won't ask permission. Of course that would only work when cookies are enabled and can store limited amounts of data.

Publish Signed Files?

I built an auto-update feature to my program. It polling an xml in some http url, and in case there is new version is notifies the user and downloading the new files.
I want to allow redistributing of those updates in closed networks without internet connections. The administrators can download all update files and host in some HTTP server in the network.
The problem is that the xml URL will not be the same, so I want to allow change this URL in the program's config file. This is openning the door to malware publishers: they can redistribute my program with other URL in the config file, and then distribute some form of malware through the auto-update system of my program, then the people will say my program is a virus.
I want to block the chance to change the original auto-update xml to block this kind of malware distribution. How do I do that?
I think I understood your problem. But this problem is not yours to handle. The users should only download your application from a trusted source. You cannot stop a user from downloading malware, its their problem if they do so. Also, it is the users that will add/change a URL to the config file and you cannot stop them from adding a malicious URL to the config file. And even if you have the original update URL hard coded in your application, it wouldn't be hard for a user with malicious intent to change it and recompile your application and distribute it. Or else you can use cryptography to ensure that the original URL is unchanged.

Categories