We have a web application : C# + SQL 2k5
Different companies send us information, we parse, them, do different things, and come up with a simple list for each of our customers. The list will look the same, but will have different information based on the customer.
They should not have access to each other's data.
We would like to create a page which would be embedded on their own site. I was thinking about using something like an iFrame.
Basically customer ABC would embed on his own abc.com an iframe with a URL (we will give them the parameters needed) and his clients will see our data on his site.
The other customer, lets call him xyz, has an other website xyz.com, will do the same thing, but in the url I should make a difference between them.
I would like to know how is the best, safest way to proceed.
How should I start to build up this page that is going to be embedded.
How should I make a difference between the 2 customers? The only way to get info from them is the parameters they send me, and eventually, I could get the 'parent' of my embedded iFrame, so that might help me restrict xyz to embed using url parameter info to get data from abc. See my dilemma?
Probably a unique identifier for each customer (like a GUID?) will be needed, and they woul dnot know each other's ID ... Or is there a more secure way to do things like this?
Any help would be appreciated.
Thanks
Embed a publically visible unique id in the URL and process this to extract the client id. e.g.
<IFRAME src="http://example.com/1122334455667788aabbcc">
You could check the Request.UrlReferrer to ensure that the request see this answer
However the only safe way of doing this is to provide an authenticated API that the site uses server side to process via a services API (e.g. WCF), or at the very least an authenticated HttpWebRequest; any other way leaves your data only as secure as a publically visible unique id.
Take a look at how one of the credit card processing portals do this (eg WorldPay or Paypal). There are several ways.
At the very least you need provide each customer with a unique ID that they send you.
Related
We have a homebrewed advertising system on our website. Part of this includes code that when an ad is clicked, we first go to a intermediary page that records the click data, which then redirects them along to the desired advertiser's website.
Unfortunately, our current solution requires that a URL parameter be passed to the intermediary page that is the destination URL. Some savvy advertisers have discovered that they can use this for their own nefarious purposes and "launder" their traffic through our site. In other words, on their site, they have a link along the lines of www.oursite.com/redirect?URL=www.theirtargetsite.com, making it seem like that traffic is coming from our site.
I'm working on a solution that will only redirect to a whitelist of URLs, but my first problem is more just knowing what this is called. Finding alternative and probably better solutions is difficult when I don't even know what to call it. With so much spoofing, laundering, and hijacking going on, it's hard to find help for the right topic.
What is it called when website A redirects to website C through website B without the permission of B?
The word you're looking for is open redirect. The MITRE article on this class of vulnerability has some examples of ways that this can be mitigated, e.g:
Whitelist the URLs that you will redirect to
Displaying a warning page before redirecting (probably not viable in your situation)
Use numbers to identify the URLs to redirect to (i.e, look them up in a table) instead of putting the target in a query parameter
Use a HMAC construction to "sign" URLs to redirect to, and reject redirects that don't have a valid signature
I'm trying to perform login request in C#, but i don't know how to do it. I tried to find aspx web API but with no result. Do you know something about it?
here you have url: https://www.bikes-srm.pl/Login.aspx
Everything I tried is send request witch this header:
webreq.Headers["Authorization"] = "Basic " + Convert.ToBase64String(Encoding.UTF8.GetBytes("login:password"));
Seeing how you tagged ASP.NET and mentioned "c# mobile app," here's one potential answer to your problem. This article covers the approach in detail, summarized below:
You can use a WebBrowser control to login to a website, wait until the content is loaded, and then retrieve the HTML data, cookies, get/set values of input elements, and access running scripts.
However, keep in mind:
Security: If more than one person can login, you will need to sandbox each user, clear tracking data, cookies, etc. at the end of each session and manage multiple states. If financial transactions occur through that website, you're taking risks.
Harder to maintain: The id's / names for the form fields or URLs can change, and when they do, your program may break.
Liability: from a legal perspective, who's responsible for what happens through your program? Do you have written permission to access their website from your program?
WebBrowser control is a part of System.Windows.Forms, but it looks like you'll be using it from within an ASP.NET site or a mobile app. What are the consequences? Research this.
I'm designing a site using ASPx and IIS, where clients can sign up and then offer services to their clients. For example:
if you go to http://www.mywebsite.com you can sign up for your mywebsite.com account as a business owner. When you sign up, you are given a Site ID (Example: AA1234).
http://www.mywebsite.com/AA1234
What I want to do is always include the Site ID in every url (Inbound and Outbound). The Site ID is stored in a session variable based on the initial incoming request.
Does anyone know of a good way to do this - or a different design that works better than this?
Thanks
Your question is nebulous at best. However...
Wouldn't this be what cookies are used for?
In particular, if your user is authenticated (this is generally achieved in asp.net with an auth cookie), then at the server, you would have tools at your disposal that allow you to recognize the user and provide a different experience according to whatever criteria you choose. Most likely, these details might be stored in a database.
Found the answer in this topic: http://www.tek-tips.com/viewthread.cfm?qid=1149673
The last response from BoulderBum is exactly what I needed.
Using the HTTP module I will take the /AA1234/ URL and point it to /Company/.
On the way out, I replace all instances of /Company/ with the site id again
I have to implement a single signon kind of solution on my website. Let's say my website is www.myweb.com and I want to allow the users to use this site who only come from a site www.sourceweb.com.
I thought URL Referrer would do but in IE may comes null.
See here
Please suggest me some alternate solution.
Thanks,
Gaurav
If you have access to www.sourceweb.com and can modify the source then a possible solution would be:
Create a webservice on www.myweb.com.
Create a link on www.sourceweb.com
When the link is clicked call the webservice to retrieve a unique id.
Redirect the user to www.myweb.com and provide the unique id in the querystring.
On www.myweb.com confirm that the unique id is valid and remove it/mark it as used.
There are many ways to skin a cat, one way in your case would be to set a cookie on the 2nd site, using a pixel gif (1x1 pixel small picture) embedded on a page of the main site. The 2nd site then can later allow access only when the cookie is already set.
To make this secure, you have to add a token to the pixel gif URL, containing a timestamp and signed using a HMAC or something similar establishing a shared secret with the other site. Then you only set the cookie when the timestamp is recent (less than a minute ago) and properly signed.
URL_REFERER is your best bet.
Keep in mind that like most HTTP headers, it is easy to forge and does not have to be provided.
The very short answer. Don't implement this yourself.
Security solutions should not be implemented but bought. The only exception being if you actually develops security solutions for other to buy of course.
Choose one of many available SSO solutions and go with that. We use Microsofts ADFS, though not perfect it gets the job done for us with very little maintance and the only real hazle is for our applications hosted on non-windows platforms like AIX.
There so many chance of screwing things up when you try to implement your own security solutions. If you disagree than just remember than anual contests are held to break the security systems of companies such as Apple,Microsoft,Mozilla and Goggle and most of the years some one takes home the price for breaking each of them.
I would like to identify if an email address comes from a public provider or is from an established business. I consider public email addresses to be things such as:
Open email service providers, such as
gmail, hotmail and yahoo.
Anonymization services, such as mailinator or dispostable.
I'm aware that there is no foolproof way to do this, and obviously any list based solution would require constant updates.
Is there a public listing or .NET library that can do this for me?
Are there really that many free webmail providers out there? I would go with a 'blacklisting' style solution.
For example, flag everything in this wikipedia list as free (heck I would think covering gmail/hotmail/yahoo/aol would cover a huge % of users anyway). Then if you get more than 2 (or higher number if your site has high throughput) registrations from the same email domain, it notifies the admin to check the domain to see if it needs to be added to the 'blacklist'.
I would imagine there are much more reliable ways to detect business customers though. For example in Australia you could just ask for an ABN and then check that it's valid. Are you willing to punish small business who don't have email providing and just use a generic #gmail account?
Here is a link to SpamAssasin's freemail list: http://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_freemail_domains.cf.
I suppose, checking against this list is a good start.
You might want to talk to the Better-Business-Bureau ( http://www.bbb.org ) and see if they provide some kind of a feed or API. I had a quick look at their site and couldn't see anything obvious, but it would be this kind of organisation I would head to first if I wanted to find out domain names belonging to established businesses. They do have a form on their site to search by email address ( http://www.bbb.org/us/Find-Business-Reviews/ )
Consider using HubSpot blocked domains list. It is not a guarantee that it is 100% accurate or complete.
They also provide a CSV file that you can download and parse programmatically. Link to CSV file is in the linked page.
I am guessing the ultimate goal is to clean your database from unwanted contacts that will increase the monthly bill. What you can do is the following:
Create a webhook that is triggered whenever a new contact is added.
In that webhook (which can be written in any language), check if the contact is in a blacklist (which is gmail/etc...).
Remove the contact if it is in a blacklist using an API call (you will need to first get the contact ID, which can be easily retrieved using API).