posting data using sql query - asp.net

I'm implementing a SMS verification system. this system is provided by a third party company. it can be done by using both GET and POST. that both works perfectly.
Using get:
http://srviceprovider.com/sms.aspx?text=SomeText&To=ReceiverPhoneNumber&from=SenderPhoneNumber&username=MyUserName&Password=MyPassword
that is simply giving out my credentials
and the second way the provider show in its example is:
Post using:
Response.Write();
this looks better than the first one. but still one can access the username and password. I was wondering if there is a way to post data from server (not client side) and may be using sql queries.

Use SSL communication. Google it.
You should not be sending or even storing plain passwords in your database. It must be encrypted everwhere using some encryption algotithm like SHA. For eg. Password abc will be encrypted and saved as 123. Password can be encrypted at the client side itself and then sent to the server. Even if anyone sees the password value (123) in the string or in the database table he would not be able to use it in the password box because the encrypted value of 123 will be something else like xyz.
Read more about SHA algorithms and you will yourself get to know everything.
Cheers and all the best !
As per my understanding you wish to post to a webserver but not from your client side. You can make use of WebRequest class (at server side) to post data to the 3rd party's web server. Futher if you wish to make the entire process aynchronous you can make use of Win Services/WCF Services to post data on some web server. Here you will first just update the fields/flags in the db tables using queries fired from the client side. Next your win/wcf service will pick those records from the tables, form the required query and finally will POST it on some web server. For more information on WebRequest class you can go through this link.

Related

ASP.Net Core 2(.1.2) - Save user data without having to trust the client

I'm currently working with ASP.Net Core 2.1.2 and I can't find a solution for my problem.
Currently I'm building a controlpanel together with Angular 5.
The data for a user is stored in a MySQL database.
To have access to the controlpanel you have to login - and the server will load some data. Important is the admin-level (1-?) - some actions are only allowed for admins with atleast a level.
For the authentication I'm using JWTBearer, which gets sent by the client at every HTTP action as header. But in some methods I also want to check the admin-level.
Now where can I store data for the client, like his admin-level?
Is it safe to save it with a Claim? But then wouldn't it be possible for the client to modify it clientside and send a "custom" header?
I also tried to put the data in a dictionary and use the (HttpContext.)User (of type ClaimsPrinciple) as the key, but that won't work because User is always different at every Request.
Is there any safe way to store the data for a User?
You can safely store your admin-level information in a Claim, unless you're worried that someone can read it. It's not possible to modify a Claim in JWT, because its value is signed by key which only you should know and after the modification this token will be invalid. Read this article to get more information about JWT

Stop concurrent multiple client's access to the ASP.NET Web API and ASP.NET Identity 2.1

Problem statement:
Hi. I have some secured data which I want to expose through Web API and ASP.NET Identity mechanism. I want to use out of the box classes of ASP.NET Identity. I take a payment manually and change a value in the table. But there are cases where the user will share his username + password with some other guys so that the others can access the same content without paying anything.
Work plan:
So, I have extended the AspNetUsers table with a column named ApplicationToken (varchar). After successful login, I want to generate a token, update the field of the user's row in the table, and add this value as a claim information and send back to the client app. Now, when the user requests for a paid content, my client app will send the token also. So, somewhere in my server side codes, I need to check this ApplicationToken with the Database token value. If both are equal, I allow the request to proceed, otherwise I will send 401 Unauthorized and tell them to login again.
Implementation options:
After studying and searching, I found the below options to implement:
Create Custom Authentication Filter attribute so that I can grab the claims send from the client and do my required validation
Create a base class of the secured API and get the claims there and do my required validation.
Go for different Jwt based implementation where I should have access in both issuing and checking the Json Web Tokens.
If you have any other options, I would be very glad to hear those.
My question is, which approach is better to proceed. I have enough time to implement, so time is not a factor here. Thanks.

Prevent Password being sent over HTTP GET

I have come across a strange requirement during Security Review where I have to prevent username and password is being sent over HTTP GET in asp.net web forms.
Scenario is like this.
We have simple asp.net login form with user name, password and Submit button(POST method). During security review, the security tester changes the Form method to GET using some proxy tool(Burp Suite),then the user name and password is sent over as query string.
GET /Login.aspx?_LASTFOCUS=&_EVENTTARGET=&_EVENTARGUMENT=&_VIEWSTATE=''&_SCROLLPOSITIONX=0&_SCROLLPOSITIONY=0&__EVENTVALIDATION=%2FwEWCgKm973fCgKOieLQt9kH6PhK0wq%2FpfP8pXG%2FF&%24txtUser=abc#abc.com&txtPassword=1233&%24btnLogin=Login
As per the security testing team the GET (form method changed to GET using proxy tool) method should not pass the user password in query string.(as per my understanding GET will always pass value as query string even if it is password field)
An easy way to acheive what you need is to speficy server side to only look at the posted values server side and ignore the query string items, for example by using
Request.Form["foo"]
Instead of
Request["foo"]
Or
Request.QueryString["foo"]
There is no security reason for this, really you just want to be using SSL.

Is it Possible to have an ASP.NET Application in Microsoft Outlook

Users need to fill out an access request and once they are done and hit the submit, it emails the request to their supervisor.
Is it possible to email the entire form(with the user data and also to be filled fields by supervisor) in an email so that the supervisor can select accept and the change would be reflected in a SQL database from Outlook itself?
Emailing the form can be done. Writing an Outlook add-in can also be done. But you'll save yourself a lot of time if you just write an "approval" page in your web app and send a link to this page in the email to the supervisor. You can put any information you want in the email, of course.
ETA: But to actually suggest a solution: you could send an email that included a hyperlink, that included identifying information in the query string, and use that as a way of signalling to a web page or web service that the request should be approved. You'd have to work out something with security and authentication, of course, so that not just anybody could call that page and approve the request.

Passing a database value to a front-end querystring

This may be a simple question, but I'm trying to call a a value from table in my back-end SQL Server database and pass it through a querystring in the URL. For example:
I'm building a mobile web site that registers a mobile device to an account on the sign up page. After the database entry is created, I want the to get the generated deviceId from the database and pass it to a querystring in the URL such as: http://www.mobilewebsite.com?dId=22
Is this easily possible, or is it even the best solution for what I'm trying to accomplish?
Wouldn't something more unique to the device be more appropriate? Such as it's ESN?
Why not generate a GUID on the device and simply submit that. That way, no round trip to the database is required.

Resources