I have two web-servers. One runs a ASP webservice and the other runs a website, where I use javascript to access the webservice.
My problem is, that I don't want to keep the webservice access open for everyone in the www and limit the access to several applications. It shouldn't be allowed to access the webservice from another website.
There is still the probability to allow the access from other websites or apps, which should be considered here.
Do you have any thoughts for approaches to restrict the access to the webservice?
Related
I have a website in IIS say abc.com
Now i also have a asp.net API as virtual application within abc.com
I want to restrict all direct access to the API , except from the website.(browsers, postman, fiddler , etc)
Within the API, I tried to detect ip from which the request was made
context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
context.Request.ServerVariables["REMOTE_ADDR"];
Although the above may help detecting client ip , it may do little to help in preventing outside website request to the API
How can I accomplish this?
Thanks for any pointers.
Does the web site require logons, and did you implement security? Any web service call (to a static method in a existing aspx page, or even a call to a asmx page? if that page is placed in a folder that has security (in web config, as normally dropped in each folder to secure by security groups (roles)), then those web service calls from the browser simple will not work unless the user is logged into the site correctly.
For any web calls that you don't need or want security, place those aspx/asmx pages in such folders without IIS security applied, and no logon will be required to use such pages.
If you don't' have any security setup? Then it going to be rather hard to suggest you want security for the web site when there is no security setup?
So, even a simple basic FBA (the classic security setup) will thus be handled by IIS, and those web service calls can't occur unless the user is already logged in. So, your free to write and setup ajax calls from the client-side page, and you don't even have to worry about security in that client-side JavaScript code if the site has security setup.
If you don't have any security setup or applied to the site, then it quite much suggests that you don't have many options in the way of security choices.
Im currently in the process of exposing our internal CRM system to the web so our employees can use it outside out network. The data is being surfaced to our web application via asp.net WebAPI.
We have SSL setup on the website. But am thinking how else I can make sure the WebAPI is secure from malicious use. My ideas are:
Tracking what IP addresses are accessing the WebAPI and only allow addresses that we have validated are from employees. Problem with this having dynamic IP addresses we might be constantly updating a data store of valid IP addresses.
The user has to login to the system. So every request to the webapi will send across their login details which will be validated before the webapi will process any request.
Pass the device ID of the device using the webAPI and validate (pretty much the same as IP Address tracking in idea 1)
Having a unique clientside generated access token which much match up at the server side.
Has anybody got any advice on my security ideas I outlined? Is it to little or is it overkill?
Just want to make sure the data cannot be hacked, because my butt would be on the line if it did.
Thanks in advance
I would actually choose a totally different solution - updating valid dynamic IP's will be hell.
I would:
Create a new Project using the "Intranet Application" instead of using "Internet Application"
Host the application on your local office network
Set up VPN to your Office for your colleagues
Would this solution be possible for you?
I have two websites and i am using the same session object for both the websites.
How can i achieve the same session in two websites.
Regards,
Prasad
You can't. The sites are seperated and as such, the Session data is seperated.
It would be a big security issue if you were able to access Session data from a remote (which this is, even though they are locally hosted) site.
What you are trying to achieve is basically SSO (Single Sign On), in which user is logged in to one site and isn't required to log in to other sister websites.
Either search for SSO and get detailed information on its implementation, or in both of your websites, make a webservice with enable session true.
When you need to check the session["Login"] in one website, call the web method of webservice of other website and get the information and vice versa.
I have a web based application that uses lot of client side requests in various .asmx files.
I am wondering if I can use those web services only from client side and restrict the requests from other sources.
The reason for this is because I want to use those web services only from the current application and to restrict requests from other sources. For security reasons I could use soap authentication but since I requested the services from client side, I don't think the authentication it matters.
I'll appreciate any comments.
Thanks
The webservices are by definition public, publicly visible and available (unless they run on private network or standalone computer). I.e. anybody can access them. So, just deploying a webservice and hoping for the best is not a good approach.
And how do you intend to restrict other access?
I am maintaining a public website (no authorization required) that uses web services over https to perform various operations. Most of the calls to the web services are invoked from javascript.
What has recently occurred to me is that a malicious hacker could, if he/she chose to, call the webservices directly in an attempt to play havoc with the system.
In reality, there is not much damage they could do, but in practice these things are difficult to predict.
Bearing in mind that the web service calls will be exposed in javascript code (which is available to the client) what is the best approach I could use to prevent unauthorized and/or malicious access to the web services.
Sadly, I can't just restrict access by IP, as there are windows forms-based client applications out there which also interact with the web services.
Using windows authentication may be difficult, as these client apps can be run from anywhere in the world and the users are not part of any specific AD Group - or even domain for that matter.
I'd appreciate any suggestions, bearing in mind the two different classes of access and the exposure of the javascript code.
Anything called by javascript can be mimicked easily by a malicious user who has the right to use that javascript. I would suggest modifying the page to use a more server-side solution. Leave AJAX to stuff that can't be easily exploited.
Preventing an unauthorized user is MUCH easier than supporting full public access. If you drop a time-expiring guid on the user's cookies, tied to the individual user, that gets sent as one of the arguments to the Web Service, you have an extra, generally difficult-to-break, layer to the application.
Anyone who has access to execute the javascript, though, should have no trouble piecing it together. Someone who has no access to the javascript can probably be kept from accessing the Web Service easily.
It takes a bit of doing, but if your page is also ASP.net you can set up a shared session, turn on the EnableSession attribute on your webservice and use session data to secure the session. An overview can be found here: http://blogs.lessthandot.com/index.php/WebDev/ServerProgramming/ASPNET/sharing-asp-net-session-state-between-we
This would necessitate a different "version" of the service for your windows apps to consume.