I have a public web app that calls ASP.NET web method in an ASMX file, located in the same site folder in IIS. But, to prevent bots to ping the service directly, we'd like to secure the API so that only our HTML 5 client page can access it. Do you have a suggestion on how should I implement this kind of thing ? Not too much, just a simple mechanism that won't take a week of testing please. Doesn't have to be a 100% full proof method since it is public data and the API just pumps data out, not inserting anything. Just something to limit possibilities of DDOS attack on the API.
The way I've tackled this in the past is with a custom header.
Essentially if your web page is using some form of AJAX call to call back to your services layer, then you can use something like:
xhr.setRequestHeader('custom-header', 'value');
where 'xhr' is an XML Http request that you've built in Javascript
of course you could also take the much easier route of just adding a parameter to your calls query string, EG:
in your ajax call, request:
http://my.services/service.asmx?somesecretkey=foobar
instead of just
http://my.services/service.asmx
Then you can just use the request's query string collection server side to see if it's present or not, and refuse the connection if it's not.
You could even go so far as providing some seed value in the data passed to the page in the first place, then use that seed value to create a unique value (one the server can also calculate) that is returned back in your request to the server.
Doing it that way would provide a slightly higher level of security, as the values would be semi random and not easy for a bot to guess.
Bear in mind also, that if you control the calling page, and you are doing this by ajax, you can also put this key in your post variables collection too so it doesn't have to be visible in the get request.
Related
I have two Asp.Net web apps, App 1 and App 2. They both use the same database. I am trying to give command from App 1 and immediately run a bit of code in App 2.
The only way I can think of doing this is by inserting a command in the database and have App 2 poll the database every few minutes. But this means there may be a delay in running the code.
Is there a way to run code in App 2 immediately?
You can fire an HttpRequest from one app to another and the code will run almost immediately.
I don't know what language and platform you're using, so it's hard to give you concrete examples, but here are the outlines:
Create a page in App2. In standard ASP.Net, you can use a handler. In ASP Core, you can use an API controller. Both car return a single value or a full object in JSON or XML. Or you can use a standard page if you like to return HTML. The code behind is what you want to run. The rendered page or return value from the handler or controller is what you want App1 to get back in response.
Then from App1, issue an HttpRequest to that page in App2 and check the response to see how to continue (for example, if the code ran successfully or not).
The HttpRequest is in case you want to make the call from the server side of App1. If you want to make the call from the client side, then you use Ajax instead. In the case of Ajax, you have to pay attention to the security side, because you don't want to allow whoever to call that page from App2 unless it unless the code behind doesn't pose any security risk and doesn't return any sensitive data.
One last idea specific to your scenario, since both apps are using the same database, you can add the required values to the database as you were planning to do, and then issue a simple HttpRequest. This way, you don't need to worry about security or passing a any sensitive info. When App2 receives the request, it checks the database to see if the request was actually made from App1 and then processes it, otherwise ignores it.
Currently working on an ajax call to an ASP web service (.asmx).
In a situation where I POST to the url/.asmx/WebMethod, am I exposing information of any kind?
In the 'WebMethod' I am running a PostJsonAsync that calls an API and passes along a json string.
As I am still learning, I've been told that calling any public [WebMethod] exposes the code, but I am not sure how that is possible.
Is it possible at all for a user to access the WebMethod server-side code that I have and peek into the API calls that are available?
I've attempted some minor security methods.. We are working with Sitefinity CMS. What I did was call a WebMethod that receives the CurrentUserIdentity and returns a GUID. If the current user is logged in, it returns a valid Guid, if not it returns a Guid full of zeros.
Then, I call the WebMethod containing my API call and post a json object along with the valid or invalid GUID. The server-side WebMethod code will then verify if the GUID is valid and continues based on if a UserProfile can be generated.
To me, this seems to be secure, but I've been told that this still leaves the WebMethod exposed as well as the API. I am however just not understanding what is exposed and what can be used.
If anybody can direct me to any resources that has more information on this, or if anybody can advise me on WebService security, I would appreciate it.
Thanks in advance.
If you're calling the methods via AJAX, then they are exposed to the public...and can be called by anything that can make a call to your server. That being said, there's nothing wrong with it unless you're doing something that's easily abused.
In your particular case, it sounds like the code is accepting a GUID that is assumed to have come from the first API call. If that's really the case, you may want to rethink how the mechanism works. Adding authentication checks for each method that needs to be restricted may be a better solution.
I want to implement a query on my web page that gets results from another web service and displays them to the user. For this I ofcourse send the request as GET method from the web page. Server side, I process the request, get results from that web service and return them back to user.
However, I also want to save the results for future refernce. Something like history of queries. For this I will store the results in a database.
Now, the question is since I am upating my database everytime a query is made, should I be using POST method on the web page or GET would do? Does HTTP explicitly say anything for this scenario?
HTTP itself doesn't say you have to use POST -- the technology will work just fine if you're sending your data on queryparams.
But current convention says that you should use POST, specifically when using API services under a RESTful model. If you are passing data (even on the query params) that is creating a new record, it should use the POST verb. Updating it should use PUT.
It's going to get down to what your audience expects. If it's just an internal resource, go for it with GET. If you expect to open this up as a public service, use POST.
I am just wondering how to do this:
I have a page which shows some tabular data. On each row there is a checkbox. The user selects two/more checkboxes; my web page must find the corresponding ids of the rows which are checked. I must send this to the http web service. (basically a *.ashx file). I have two questions:
how will I access this on web server
how will my web server know the total no. of items I've passed. Must I manually send this to the server as a http post parameter?
what if the data I am sending is more complex like a person object which has fields like FirstName, LastName, etc. ?
I know I can use a asp.net web service or a wcf service with exposes a datacontract. But what is the best way to handle this without the SOAP overhead; what if you are sending all this data via ajax as a normal http post?
http://jquery.malsup.com/form/#getting-started might be worth investigating as a starting point.
In terms of your questions, the answers will partly depend on whether you are using MVC or WebForms. But in general:
If you use the above plugin, you will access it just like it was a normal form submit (post).
They will be populated into Request.Form.
This shouldn't be a problem. Model binding on MVC should handle this fine, I am not 100% sure of the equivalent on WebForms (you could always do it manually).
My suggestion would be to ignore the AJAX requirement for now. Get it working with a standard form submit (POST). Then come back and integrate the above plugin to enable AJAX.
1. How will I access this on web server
Using either postback (and a checkboxlist control), or handling POST yourself. GET wouldn't be appropriate for the task.
2. How will my web server know the total no. of items I've passed. Must I manually send this to the server as a http post parameter?
It will send back the value of each checkbox you have on the form, which will give you the total.
3. What if the data I am sending is more complex like a person object which has fields like FirstName, LastName, etc. ?
You could use Viewstate for this, or just re-assemble the objects on the server. Typically this means putting an ID in the checkbox value for the person each checkbox represents - you don't need to send back every piece of information about the object.
What is the best way to handle this without the SOAP overhead; what if you are sending all this data via ajax as a normal http post?
jQuery and JSON would be the best solution for this, if you want side step the built in ASP.NET ajax controls. As suggested, jQuery is the simplest Javascript library for the client side part of the task - you'll need to use $.post
I want to implement an ISAPI filter like feature using HttpModule in IIS7 running under IIS Integrated Request Processing Pipeline mode.
The goal is to look at the incoming request at the Web Server level, and inject some custom HttpHeaders into the request. (for ex: HTTP\_EAUTH\_ID)
And later in the page lifecycle of an ASPX page, i should be able to use that variable as
string eauthId = Request.ServerVariables["HTTP\_EAUTH\_ID"].ToString();
So implementing this module at the Web Server level, is it possible to alter the ServerVariables collection ??
HttpRequest.ServerVariables Property is a read-only collection. So, you cannot directly modify that. I would suggest storing your custom data in httpcontext (or global application object or your database) from your httpmodule and then reading that shared value in the aspx page.
If you still want to modify server variables, there is a hack technique mentioned in this thread using Reflection.
I believe the server variables list only contains the headers sent from the browser to the server.
You won't be able to modify either the HttpRequest.Headers or the HttpRequest.ServerVariables collection. You will however be able to tack on your information to any of:
HttpContext.Current.Items
HttpContext.Current.Response.Headers
Unfortunately, Request.Params, Request.QueryString, Request.Cookies, Request.Form (and almost any other place you'd think of stuffing it is read only.
I'd strongly advise against using reflection if this is a HttpModule you're planning on installing into IIS 7. Given that this code will be called for (potentially) every request that goes through the web server it'll need to be really fast and reflection just isn't going to cut it (unless you have very few users).
Good luck!