We are using a program that runs on the client machine to control its devices (scanner, printer, etc).
On the server side, a .net website generates javascript to call methods of that program using cross-domain.
A schema will explain it better, the command request and response is in red:
Problem comes when we talk about security, any website (which does not belong to us) could use cross-domain to call our program and possibily execute anything.
I have no idea how to make it secure, we would like to make sure the command has been initiated by our servers.
Is there any already existing pattern for this kind of security behaviour ?
If not, any suggestion is welcome.
When the client browser connects it can get a token(SSL?) from the company lan, which could be passed to the executable. executable then sends token to company lan for verification.
Related
I made a FTP server application which uses Net's sockets. The application will immediately disconnect a client, that was accepted by the TcpListener, if the client didn't send a login message containing a username and password. But how do I prevent someone from decompiling my client application and seeing the server's password and replicating the message that's required by the client, to login in to the server, in another app. In general I want to avoid someone from making an application, that implements my objects from the .dll provided with the client application, which can connect to my FTP server.
There isn't really a way to completely protect your service if you are going to distribute a client library. As Kinetic says, hard coding passwords is definitely a bad idea because someone could easily decompile your assembly or use something like process explorer to discover it.
There is usually little harm in gracefully handling any client that conforms to your protocol. If you think that it's likely your service will be the subject of abuse then perhaps look into denial of service protection. 😉
I want to pass certain parameters to a desktop application remotely via the internet. I don't want my application to contact the server repeatedly, because many such applications can bring the server down easily. Is there a way to initiate the connection from the server? How can I identify the applications, as there will many of them running on many computers somewhere around the globe. I don't know where to start - I'm trying to do this in C# and ASP.NET/PHP on the server-side. Please give some advice.
Is there a way to initiate the connection from the server?
No. Not without having the client contact with the server first, informing it with the IP address, port to use etc... Which the server will need to keep for each client, hoping that they don't change (or get updated when they do change).
Long polling by the client is the right solution for what you are doing, even if you don't want to use it.
There are many different ways you could approach this, just thinking out of the box, both your app and the server could utilize a different mechanism for transferring the settings. I'm not recommending any of these methods, please don't shoot me down, they are all just ideas.
As an example, your server could connect out using FTP and output the updated settings to an FTP server on each PC. You could install something like Filezilla on each machine which runs your app. You'd obviously need to configure port forwarding on the router to allow the server FTP access.
You could use email. Setting up an email account where your server can login to send out the settings. Your app could possibly login to the same email account possibly even a single Gmail account to retrieve the settings.
Another idea would be to use a file sharing service like Dropbox, Google Drive or similar and where the settings could be shared. Obviously this would involve learning any API and I'm not sure if there are any restrictions on this approach.
The last idea and probably my preferred approach would be to host a web service and database on a remote server, both your server and the applications would connect to the same service to transfer the settings. This approach is obviously firewall/router friendly as all the clients connect out to the web service to collect the required data.
Hope this helps?
I wanted to know what is the best way to write an agent on Win platform that will be able to monitor browser's communication.
scenario: monitor the user access to predefined url on Chrome, FireFox and IE. On each hit I send the stats to a server with some data (page title).
The ways I found so far are proxy and browser addons. Each has it's own advantages and disadvantages. The main disadvantage of the proxy way is handling of HTTPS communication. The addon disadvantage is the installation (need to install on every browser) and cross-browser support.
Is there another way? some service I can write with .net that will automatically hook on a browser when it is started?
Thanks you.
You do have only two choices - an http proxy, or to write a plugin for every browser. That plugin could just forward data via network to a central service, leaving you with the challenge of coming up with a common set of data that all browsers can provide, plus learning all the plugin models.
In my opinion, though, the only real option is an HTTP(s) proxy because otherwise you have to keep updating your plugins every time browsers change, or deal with the fact that new browsers can come along and be used.
Certainly you won't find a 'user is browsing a url in some browser' event in the OS - all it knows is that a socket connection has been opened on some local port to a remote server's port 80/443 (or whatever).
So I strongly suggest building on top of the excellent work that's behind Fiddler and use the Fiddler Core.
http://www.telerik.com/fiddler/fiddlercore
For https you have to decrypt and re-encrypt with a different certificate. The information that you need is just not available without actually unpacking the request. Fiddler achieves this by opening it's own SSL tunnel to the target server on the client's behalf, whilst acting as an SSL server to the client under a different certificate. So long as the certificate that it uses is fully trusted by the client, no problems occur.
That said, it means that the user cannot personally verify the identify of the target site - therefore your system would have to assume worst case scenario for any invalid SSL certificates and block the connection.
I am building an application that can receive requests from a website to perform functionality not available in a browser. I accomplished this using a Tcplistener and then call in to it by performing ajax calls with jquery using jsonp. This is fine and works well, the problem now however is that the website also has to be able to use HTTPS, this results in a warning when making ajax calls that are not encrypted which is not desirable.
Is it possible to use https to make calls to my application without having a certificate registered on the users pc, as my application is I guess the server.
I hope that makes sense and I am not being stupid.
Many Thanks
This answer is for C# .NET
For HTTPS calls, the example is provided on MSDN using TCP Listner and TCP Client.
https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?redirectedfrom=MSDN&view=netframework-4.7.2#Anchor_5
When doing sslStream.AuthenticateAsServer(serverCertificate, ..) you should load a PFX file along with password, instead of CER file, then it will not require registration on client machine.
Is it possible to write C# code as below and send email using mnetwork in different country?
MSExchangeWebServiceURL = mail.something.com/ews/exchange.asmx
It's a web service URL. This works great when I run the same code from home network, my friends home network anywhere around, but when I run it from my client's location in Columbia it fails.
I have a valid user name and password on that Exchange Server. Is there any configuration that I can set to achieve this?
BTW this code below works when I run it within office network and any network within any home network. I have tried it at least with five friends network in Plano, Texas. I want this code to work running from any network in another country.
My client in Columbia can connect to the web service using a browser using the same user name and password, but when I run the code above it is not able to connect to our web service.
EDIT: Based on the comments and updated post, I would wager that the client location has a proxy server or firewall that is blocking the traffic. The client probably needs to add the relevant domain to whatever "whitelist" they have.
If it works from an internal network, then the problem is most likely not the code. You need to debug it and see what error turns up when running it outside of the network. Then check the logs on the firewall and the target exchange server to see what is happening.
One possible culprit is that the DNS name is not setup outside the office network, or that the office firewall is not setup to pass traffic (or only to pass SMTP traffic) from the internet to the server in question. Another is that Exchange Web Services is not setup properly to accept requests from the outside world. That can be tested from http://www.testexchangeconnectivity.com/.
If this isn't enough for you to get there, post more info about what errors you are seeing. "It isn't working, I want it to work" kind of reminds me of the Star Trek TNG episode about the species who kept telling Geordi to "make it go".
If you are asking if the code works (which it doesn't look like you are but it's in your post) you should ask on stackoverflow. If you are wondering why it won't work from home Its likely because the edge server is not set up to relay, and if you are at home and not vpn'd into the network that's all you have access to.
You need to break this down a bit:
What's the MSExchangeWebServiceURL? I don't need to know your real URL, but is this resolvable from your home network? i.e. is it an internal DNS host (server.mycompany.local) or is it an externally-resolvable DNS host (mail.yourcompany.com)?
If it's internal, like another poster said, you'll at least need to VPN in (or replace that with the external URL).
I'm not a big C# guy, but I'm guessing it's looking for your Exchange Server hostname or FQDN, and since the type is "SMTP" it wants to establish a TCP session with your mail server. You can likely test this out by opening up your command prompt and trying to telnet <MSExchangeWebServiceURL> 25. When that works, my guess is your code will work too.