This is Raja from bangalore. Thanks in Advance for your help on this....Thanks!!!!!
Please find out my question below.
1.We have a project in ASP.Net web application hosted in server.
2.In the application we have a stand alone ashx file that acts as a service as per the request ( query string url) from some other application . It is a completed stand alone service and it is for Iphone application. It is not checking any authentication
. It gets param from query string(have sensitive data) and gives responce as xml format.
3. we got to know this is the web vulnerabilities in ashx file via query string. there are possibilities for stealing data from internet hackers.
4. We need to protect our service . so are finding out solution for this how to protect ashx service? ...But still we are not getting useful ideas.
5.How to apply security mechanism on this?
5. Can you guys give some useful solution for this..this would be really appreciated...Thanks . Please find out my sample project here.
As BrockAllen has suggested, using HTTPS/SSL secure channel is always a simple and efficient way to secure web application pages/services.
Also, how will your ashx handler be used by the clients? Is the ashx handler based url (contains certain querystring) provided by you (through email or some certain per user specific approach) or users can freely access it by supplying the parameters in
querystring? If the url is always provided by your application side, you can try encrypted the querystring parameters in the url (before send to users), and later user just use the url to access the handler, and only your handler code can decrypt the querystring
parameters.
Also, how will your ashx handler be used by the clients? Is the ashx handler based url (contains certain querystring) provided by you (through email or some certain per user specific approach) or users can freely access it by supplying the parameters in
querystring? If the url is always provided by your application side, you can try encrypted the querystring parameters in the url (before send to users), and later user just use the url to access the handler, and only your handler code can decrypt the querystring
parameters.
In addition, though, you should also provide verification that the client did not modify the encrypted query string param, so using a signature or HMAC would also be required (for ideal security :).
RajaAnis
Member
1 Points
7 Posts
Need Security suggestion On .ashx response In ASP.NET
May 30, 2012 09:15 AM|LINK
Hi all.
This is Raja from bangalore. Thanks in Advance for your help on this....Thanks!!!!!
Please find out my question below.
1.We have a project in ASP.Net web application hosted in server.
2.In the application we have a stand alone ashx file that acts as a service as per the request ( query string url) from some other application . It is a completed stand alone service and it is for Iphone application. It is not checking any authentication . It gets param from query string(have sensitive data) and gives responce as xml format.
3. we got to know this is the web vulnerabilities in ashx file via query string. there are possibilities for stealing data from internet hackers.
4. We need to protect our service . so are finding out solution for this how to protect ashx service? ...But still we are not getting useful ideas.
5.How to apply security mechanism on this?
5. Can you guys give some useful solution for this..this would be really appreciated...Thanks . Please find out my sample project here.
Request URL..
http://server/MyProject/webservices/coreservices.ashx?username=xxx&password=yyy&fc=myfunctionname&format=xml&appplatform=iphone&appversion=1.0&wsversion=1.0
ashx file
public class Myservices: IHttpHandler, IRequiresSessionState
{
public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
String response = "";
String functionCall = "";
if (context.Request.QueryString != null)
{
if (context.Request.QueryString["fc"] != null)
functionCall = context.Request.QueryString["fc"].ToLower();
else
{
response = "Error! Function Call ('fc=...') parameter was not provided.";
goto WriteResponse;
}
//check for required parameters first...
response = CheckParams(functionCall, context);
if (response.ToLower().Contains("error"))
goto WriteResponse;
switch (functionCall)
{
case "myfunctionname":
response = ws.myotherfuntion(context.Request.QueryString["username"], context.Request.QueryString["password"], context.Request.QueryString["format"], context.Request.QueryString["appplatform"], context.Request.QueryString["appversion"], context.Request.QueryString["wsversion"]);
break;
}
Thanks!
Raja.S
BrockAllen
All-Star
27434 Points
4891 Posts
MVP
Re: Need Security suggestion On .ashx response In ASP.NET
May 30, 2012 01:37 PM|LINK
1) Use SSL to provide confidentiality and integrity
2) Authenticate the calls to provide, well, authentication
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Steven Cheng...
Contributor
4187 Points
547 Posts
Microsoft
Moderator
Re: Need Security suggestion On .ashx response In ASP.NET
May 31, 2012 02:03 AM|LINK
Hi RajaAnis,
As BrockAllen has suggested, using HTTPS/SSL secure channel is always a simple and efficient way to secure web application pages/services.
Also, how will your ashx handler be used by the clients? Is the ashx handler based url (contains certain querystring) provided by you (through email or some certain per user specific approach) or users can freely access it by supplying the parameters in querystring? If the url is always provided by your application side, you can try encrypted the querystring parameters in the url (before send to users), and later user just use the url to access the handler, and only your handler code can decrypt the querystring parameters.
Feedback to us
Microsoft One Code Framework
BrockAllen
All-Star
27434 Points
4891 Posts
MVP
Re: Need Security suggestion On .ashx response In ASP.NET
May 31, 2012 02:13 AM|LINK
In addition, though, you should also provide verification that the client did not modify the encrypted query string param, so using a signature or HMAC would also be required (for ideal security :).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
RajaAnis
Member
1 Points
7 Posts
Re: Need Security suggestion On .ashx response In ASP.NET
Jun 04, 2012 04:48 AM|LINK
Hi guys.
Thaks for your valuable suggestions. We started work on this ..I will keep in touch you guys for better results..Thanks!!!!! Once again
Thanks .
Raja.S