Last post Oct 30, 2014 01:22 AM by brijrajrathod
Oct 28, 2014 05:21 AM|brijrajrathod|LINK
Security Team had found issue on ASP.NET Web Application request modified with burp Suite and request intercepted and posted to server.
Due to there is security threat on web application.
Please advice how to solve this issue.
Is there any way to make ASP.NET web application to protect against this kind of proxy Tool which modify the request. ?
Oct 28, 2014 10:02 AM|AidyF|LINK
You can't stop people amending the data or constructing their own requests to your site, you just have to ensure your code obeys all the normal best practices for secure code. If there is a specific type of security issue you're interested in then post
what it is and people might be able to advise further, but asking "how do I secure my site" is like going to a mechanic forum and asking "how do I build a car".
Oct 28, 2014 01:28 PM|brijrajrathod|LINK
Thanks Aidy for your reply.
I m having one screen Account to Account Transfer. Below Fields are there.
From Account : 1000Account1
To Account : 2000Account2
Transaction Amount : 1000
I want to make sure this screen is not tempered using any Proxy Tools like Burp, Paros.
How do i make sure that client details are not tempered ?
Oct 28, 2014 01:57 PM|AidyF|LINK
As long as you verify that the logged in user has rights to transfer from the "from account" you don't need to worry about that. For the "To account" you could either encrypt that data, or make it such that people can only transfer to accounts they have
registered as genuine recipients. That way you can verify that the logged in user has permission to not only transfer from the "from account" but also to the "to account". As for the transaction, again you'll be verifying this amount is a valid before the
transfer is done.
Oct 29, 2014 01:13 AM|brijrajrathod|LINK
Thank you Aidy, for your prompt reply.
What all possible encryption can be done - through which client enter information will be passed to server in encryption and it need to parse on server side ?
Oct 29, 2014 04:34 AM|AidyF|LINK
You can't encrypt on the client side, you need to use https to cover that. .net comes with a few encryption algorithms, it's a big subject but there are plenty of simple examples for the more popular encryption routines if you google "encrypt string .net"
Oct 29, 2014 12:55 PM|brijrajrathod|LINK
Even by doing https also - burp is intercepting the request before posting to server.
This is the major concern and challenge raise by our Security Team.
I looking for some thing really so example, Thanks Aidy.
Oct 29, 2014 01:01 PM|AidyF|LINK
I think when you use burp to intercept https the user's browser gets a certificate warning.
Oct 29, 2014 02:25 PM|brijrajrathod|LINK
Yes, Warning is displayed.
But in Banking website some better logic required as financial things are involved and in between transaction using proxy tool some one can change the amount or details of request.
Some better mechanism required that one can validated on server side to ensure request is not modified by burp or proxy tool.
Oct 29, 2014 04:40 PM|AidyF|LINK
If you're using a banking site and ignore a warning about the security certificate then I'm afraid that's life. You can only help people so much, if they don't use the tools their browser gives them then there isn't much more you can do. If you're really
worried about this kind of thing then as I said only allowing to send to\from known accounts allows you to put security right at the final layer where it can't be implemented. Most banking websites do this, they make you register accounts you want to pay
into, they don't just give you a textbox and let you enter any account number you want.
Oct 30, 2014 01:22 AM|brijrajrathod|LINK
Well i posted this thread to get out of box solution.
We are aware of loop whole and want to on improve it. Checking server side all details are fine.
But we dont want any body to manipulate any information, like amount etc.
Not all validation is applicable specially when user enter some input.