Where currently working on an C# application that requires data to be stored in central location.
The application will authenticate the user via the server, which in turns returns a session via the headers.
Then the C# application would then use the CDN to send and collect data from/to the server.
What I want to accomplish is to be able to verify its the C# application sending or requesting the data and not some script mimicking the headers and data.
What methods are there in validating each side of the request so that the C# Application can validate the Server data and also the other way around.
Thanks.
This scenario is easily solved using public-key cryptography:
A simple solution is to encode a hash of the data (and potentially a timestamp / sequence number) with the public key of the "other side." This can be used to guarantee, upon decryption with the private key upon receipt and a comparison of the hash value (and potentially a timestamp / sequence test), that the (expected) sender actually sent the data.
If you store a private key with the C# application, you can send this with the authentication request.
Store a random string of text with the C# application and the PHP application;
Require the login request to have this string;
In the PHP application, verify that this string matches;
Every authentication request that does not have this string will be rejected.
Related
For example if I type in the URL:
http://www.foo.com/page.php?parameter=kickme#MOREURL
Then on the server there is no part: #MOREURL
Is possible to send or get these part to the server without jQuery AJAX?.
No, it is available to the browser only, so you have to deal it with Javascript. The server can not read it.
Explanation:
Basically the hash component of the page URL (the part following the # sign) is processed by the browser only - the browser never passes it to the server. This sadly is part of the HTML standard and is the same whether or not you are using IE or any other browser (and for that matter PHP or any other server side technology).
Here's what Wikipedia says about it:
The fragment identifier functions differently than the rest of the URI: namely, its processing is exclusively client-side with no participation from the server. When an agent (such as a Web browser) requests a resource from a Web server, the agent sends the URI to the server, but does not send the fragment. Instead, the agent waits for the server to send the resource, and then the agent processes the resource according to the fragment value. In the most common case, the agent scrolls a Web page down to the anchor element which has an attribute string equal to the fragment value. Other client behaviors are possible
https://www.rfc-editor.org/rfc/rfc2396#section-4
When a URI reference is used to
perform a retrieval action on the
identified resource, the optional
fragment identifier, separated from
the URI by a crosshatch ("#")
character, consists of additional
reference information to be
interpreted by the user agent after
the retrieval action has been
successfully completed. As such, it is
not part of a URI, but is often used
in conjunction with a URI.
I would like to extend the answer on the reason WHY the fragment is not sent to the server. Because it is intentional and desired behavior. Let's look at URL string in whole.
/path/to/element?query=string&for=server#?optional=fragment&for=browser
<----- URI ----> <---- QUERY STRING ---> <----- FRAGMENT STRING ------>
URI uniquely specifies resource fetched from a server
QUERY defines operations to be performed by the server on the resource
FRAGMENT controls browser (application) behavior. Fragment should be used to
store application state which should be visible to the user so the user can send link to another user to get the same application state.
Fragment is the only part of URL free for you to transparently implement single-page web applications (which can run offline on your mobile phone for example).
Therefore it must not be sent to the server.
The hash component is not passed on to the server but it is extensively used on the client side. Specifically, in single page applications, the text following a hash is used to represent state of the application as different routes. Thus, what happens is: following an initial request to the server which serves the 'home' page along with additional js files which include client-side routing logic such as the router, whenever the user navigates anywhere on the page by clicking an anchor tag, only the part of the URL following the hash component is changed. This prevents a GET request to the server and in response to this 'onhashchange' event, the content of the single page application can be updated depending on the exact route.
I'm sending a JSON result back to a javascript (Jquery) on my IIS/MVC4 website.
The json contains a string value of around 60-100 letters.
Currently it is being sent in clear text with no encyption at all.
What would be the simplest method to encrypt just this message between the javascript client and the .net C# backend?
The encryption dosent have to be superb, but just enough that you cant figure/bruteforce out the contents in under 1 hour.
Keep in mind that everyone has the javascript so I cant just use a common key for all clients.
I was thinking something along the line of an RSA encryption where the client generates a keypair and sends its public key back with the request and the server uses this to encrypt the value.. I cant find any examples of this though so I'm very open to suggestions.
Run the entire webpage over SSL (HTTPS). The server and browser will take care of encryption for you.
I have a scenario where users are Uploading Transactions logs to Main Server Via ASMX Webservice. The application is clickonce .Net winforms app
Currently I am doing this To convert to List of Object to Json and Deserialize it on Service. over the SSL.
string data = JsonConvert.SerializeObject(Values_Static.logitems);
My Code is protected by SmartAssembly . And still I am getting some breach that attacker have access to the Network Connections and Can Deserliaze the Data.
Now i am thinking of a Scenario that I Encrypt the Json String with some private string key and then decypt it on the server .
e.g
private string salt = "$e7?8f#l4";
return ByteArrToString(Encrypt(TextValue + salt));
Hardcode the key in app and decode it in server.
will it work ?
Users are uploading the the logs to server every minute and there are possibly 20-30 entries per Upload.
is there any chances of broken Data or still the hacking ?
UPDATE :
According to Discussion Below . I understand that there is some issue with my Code. The code is accepting the invalid certificate . How i Can prevent to Accept only Valid Certificate from my https:// Web service .
ATM , every one can see the code through fiddler with Decryption HTTPS on .
I have a valid Certificate installed on my IIS 7. and its working properly
the issue is with code. and its standard auto generated web reference in Visual Studio.
UPDATE 2 :
The Final Result is , The Post data is not Encrypting , its Plain XML and readable by any software that can sniff , however the GET data is secure . I had serached bit not found some valid Answer.
Are you using SSL? If so, any application-level encryption is redundant. And, the key will have to be embedded in the code, so is readable by any attacker.
Fiddler (or other HTTPS proxies) can decrypt any HTTPS traffic.
You could prevent simple use of Fiddler by requiring a specific server certificate in your client code (rather than trusting any certificate the system itself trusts). However, this is only a weak deterrent because the user could just decompile your code and alter it so that your new certificate check is neutered.
This is called the "Untrusted client" problem, and it's the same thing that makes Digital Rights Management (DRM) software a "best effort" affair rather than an ironclad protection.
I am creating a PHP website connected to a MySQL database. Next I will need to write a C# desktop app that will use the same DB. Unfortunately I cannot connect to the DB directly from a remote location and my hosting company won't allow SSH neither.
So what options do I have? If the hosting company supported .NET, it wouldn't be a problem, but I'm not that experienced with PHP. Will I have to write a PHP service (SOAP?) and then consume it in my desktop app? Also, how do I communicate with server from the desktop app?
Any help appreciated!
Depending on security requirement, could you write a generic SQL executing page in PHP, that took the SQL as a String parameter, and returned the results as an array of Strings (Might need some meta data too or something)?
Other than that the only thing I can think of is a web service of some kind.
Also SOAP can work both ways, you can read and write from the C# app, no need to write a WebService on both ends, unless you need to notify your c# app about something from the server (In which case you could always try frequent polling from the c# app)
Best option would be creating a set of RESTful services in your PHP site.
One of most important things to take in account is REST is more configuration by convention, and there's no need of things like SOAP which may be an absolute overkill for your solution.
You just send JSON from PHP and .NET Windows application will parse it as a CLR object.
A sample scenario would be:
Service operation: http://yourdomainhere.com/API/Message/34894
** This returns something like { "text": "hello world" }
.NET client receives this JSON and using a JSON parser like Newton JSON parser, you'd be doing this:
MessageDto dto = JsonConvert.DeserializeObject([JSON received from the service call]);
MessageBox.Show(dto.Text); // This will show "hello world"
It's just a very simple example, but it'd give you an idea of what's next.
You can query your REST API using WebRequest/WebResponse .NET BCL classes.
PHP only needs to send a web response including your JSON in the output stream, that's all. No SOAP, no XML, no complication. Keep it simple.
I think the following link will be of helpful to you!
Developing SOAP Web Services with PHP/C#
What you can do is providing some PHP-wrappers which you can access from your C# code. As an example you can use this discussion, regarding C# / PHP communication.
Basically you can send a HTTP request to PHP and retrieve it's return value with C#. PHP would then perform the DB requests. If you're using AJAX on the Website it should be easy using the same communication interfaces.
this is the first paragraph of Matt Fellows answer.
But in what form do you send the data back to the application in?
Maybe JSON?
PHP webpage
<?php
$host = "host.host.com";
$user = "XXXXX";
$password = "XXXX";//plaintext :)
$connection = mysql_connect($host, $user, $password);
$database = "XXXXX";
$syntax = $_GET['syntax']; //www.example.com/help.php?syntax=DROP%20TABLE%20XXX
$result = mysql_query($syntax);
//somehow output the $result in C# readable form
?>
I have a question regarding if it is possible to hide inputs to a web-service method.
Lets say that the fourth parameter takes a password as input, and we want this input only to be used on the client side.
The function has 4 input parameters, and is there any way possible to still have all the input parameters to the function but make the fourth parameter invisible when accessing the .asmx file through the web-browser? This is to eliminate users trying to access the service and trying to input random data.
EDIT: To place this in an example.
We have an iPhone application, when a user makes use of a function, some parameters are sent to the web-service along with the fourth parameter that should contain a key of some sort to validate that the user is on an actual iPhone using the application and not someone accessing the web-service trying to access data.
public someVariable someFunction(someVar parameter1,someVar parameter2,someVar parameter3,someVar parameter4)
{
if (key.isMatch(parameter4))
{
The user is on an iPhone using the app : Proceeding.
}
else
The user is not on an iPhone, cancelling function.
}
you can prevent calling your method from webbrowser,by extending SoapExtension and getting extra information as soapheader ,that just can be send by enduser app
have a look to this Using SOAP Header and SOAP Extensions in a Web Service
The interface that you are using was not supposed to be used for anything but testing.
If you need to use it on production you should rather implement your own page, so the TextBox for parameter 4 would be masked.