I have been tasked to integrate a Classic ASP website with the SageOne API. As part of their authentication you are required to provide a HMAC-SHA1 signature. I've found how to do this with SHA256 here: hash_hmac in using pure classic ASP, which worked in that it produced the hash, but was not valid for the API. I've found similar code for SHA1 here: https://precompiled.wordpress.com/2007/11/26/hmac-sha1-encryptie-onder-classic-asp/ but unfortunately the link to the required wsc file is no longer valid. I've not been able to find it elsewhere. Has anyone come across this file elsewhere? Or could anyone point me towards an alternative way of doing this?
Your sha1.wsc can be found at https://github.com/chakphanu/labs/blob/master/classic-asp-s3/sha1.wsc
I will not include it here as I don't want to examine the license requirements.
Related
During API automation, I do have a requirement to encrypt the password and decrypt runtime just before using it in Karate.
Is there any specific inbuilt method available to do so?
If it is not available, can anyone please guide me on how to do this?
There's nothing built into Karate because you can easily plug in anything via Java interop: https://github.com/intuit/karate#http-basic-authentication-example
You can find plenty of Java code examples that will do what you want.
My question is about encrypting data in classic ASP and what the best course of action would be to encrypt text (not passwords) for storage and then allow all users to have access to the data (decrypt it). Basically the project consists of a classic ASP application that allows users to create accounts and see messages from other users. These messages need to be encrypted before being stored.
I have found some classic ASP encryption methods including Microsoft CAPICOM but the website points to a link where the download can be found for it and actually is a dead link. https://msdn.microsoft.com/en-us/library/ms995332.aspx
I have also seen some other forums posts mention creating a .net web service that will handle the encryption/decryption process which can be called from the classic ASP files.
I also stumbled on another concept which does not use the public/private key and uses an approach and uses a shared private key?
So I am hoping someone might know what method is best to try and accomplish this.
You only had to Google CAPICOM download.
Site: Download Center: Platform SDK Redistributable: CAPICOM
This download contains the redistributable files for CAPICOM 2.1.0.2 and samples of its use. CAPICOM can be used to digitally sign data, sign code, verify digital signatures, envelop data for privacy, hash data, encrypt/decrypt data and more.
Version: 2.1.0.2 File Name: capicom_dc_sdk.msi
Date Published: 9/26/2016 File Size: 1.8 MB
See also: Alternatives to Using CAPICOM
I have a classic asp site with a shop and I have to migrate to the new SHA256 method (in Spain it's Redsys the company who provide the TPV service). It's a Spanish site but I suppose the problem is for everybody.
They have libraries for php and asp.net but no for classic asp.
The problem is when you create the signature. In the manual they say:
decode a string with BASE 64
Do a 3DES encryption
Calculate de HMAC SHA256
Encode in BASE 64
Could somebody say where to find the libraries for that (free please)
Here you can download and use the RedSysAPI libraries for ASP Classic sites: https://github.com/ictmanagement/redsysHMAC256_API_ASP
It implements all the required steps for comunicating with RedSys servers, and you can use the same official documentation because the API interface is the same that RedSysAPI_PHP. You have also examples.
The most important is that you are not required neither to install any ActiveX in your server, nor install PHP.
I hope it will be usefull for you!!
They won't tell you how to calculate the signature (like they did with the SHA1 implementation). Your only solution will be to use the APIs they provide. They have PHP, Java and ASP.NET covered but they're still working on the API for classic ASP, so you'll have to wait!
Don't worry about the cut-off date of 23rd of November, they'll keep SHA1 online for a whole lot longer as they're completely missed their own deadlines.
I've a dataconfiguration.config encrypted file for an application on ASP.NET Framework 3.5
I need to change my connection string, how can i decrypted and read this file?
Security it's not an issue, I'm on a development enviroment.
Any tip will be preciated.
Thanks.
A common way to encrypt ASP.NET configuration sections (such as ConnectionStrings) is to use Protected Configuration. However if your file does not read as XML, this method was not used or was not the only level of encryption used. It sounds like maybe there was a third party tool involved.
If I were you, I would probably create a new config file, and find everywhere in the project the old config file was referenced to point things at the new file.
If that is not possible, maybe you'd have better luck posting a question in a general cryptography category or doing some searches on the subject. I know some encryption can be identified by look at the encrypted data. Some encryption schemes are designed specifically to hide that though. Good luck.
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.
Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.
The attack that was shown in the
public relies on a feature in ASP.NET
that allows files (typically
javascript and css) to be downloaded,
and which is secured with a key that
is sent as part of the request.
Unfortunately if you are able to forge
a key you can use this feature to
download the web.config file of an
application (but not files outside of
the application).
Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET
"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.
Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."
(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)
Scott Guthrie has a post which explains it to some extent.
This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/
also read this:
How serious is this new ASP.NET security vulnerability and how can I workaround it?
afaik it goes like this:
these are hit: webresource.axd and scriptresource.axd, both use an encrypted/signed value that asp.net tries to check if its valid
because of differences in the response when the files are or not valid, they can make the padding attack.
once the attack is successful they can generate a request for a resources as if it were originally emitted from asp.net
Now, as far as I knew, both of those are supposed to serve embedded resources, but I guess that's not the case (Scott Gu did mention in his post's comments those are the ones being used in the attack showed).
The following post may be interesting for this thread:
http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx