.net - What are the specific security risks of this web services architecture? -

-

I need ammunition to try to promote the set of available web services that directly support our production Chat with customer service application. My approach is to implement the IPassword provider and authenticate it from our Edi Store. The architecture recommendation that came from high is SSL, which has an IP filter on the router, allowing only some IP addresses to call web services. Entry will be given with a GUID key, no login or password is required.

Each key authorized to use our web services will be given a key, it will be generated by us and will probably be emailed to them. There is no end policy about which I know.

It seems wrong to me, but they are not buying the logic that there is no real certification in the game. What are the specific safety risks with this architecture? What is really the attack scenario, and how easy would it be to compromise our system? I should be able to expand the risks, probably even even they should be displayed in our architecture team.

Good .. There is a lot that can be wrong ...

For one, the SSL server certificate only saves you to hide the general and if the server is identified correctly, it ensures that who is the customer (I think you have the right security on the server certificate on your client Are investigating).

But it does not tell the server anything about the client. To do this, you need to assign a client certificate and validate it on the server and still the solution is still weak if not done correctly.

Going back to your configuration if your server has not been authenticated correctly, then a person can not only hide it but can modify / modify the information on your communication channel. (Because you are not signing a confirmation to confirm that message itself).

> The IP filter is very weak, because most institutions have configuration for some or the outside use. Therefore, the PC with external access outside the same node will show the same IP. I do not need "spoofing" ... You need to compromise any internal machine ... such as a secretary's machine (giggles) .. .. and request from there.

IP Spoaming IM is not sure that there will be a legitimate attack, in this case an attacking client will deny the service on the machine and then the server will try to install packets and take advantage of the spoof client cable connection The answer to the packet to finish and RTT

This package estimates the sequence number, which is now difficult, but not impossible from there, with an attacker's eye without any message But in this case, when the connection is not a plain HTML, but an SSL stream that contains information such as keys etc, and seeing that the attacker can see the language, because the injection is done from the darkness (At least not in the same subnet and can smell the packets) ... I have doubts about it.

Anyway ... recommendation configuration.

1 - Server SSL certificate with verification on client - Client SSL certificate with verification on server. - In addition to a GUID token, checksum of some types of messages that advises each session-client to be generated every time. (Do not forget to distribute this certificate securely on encrypted stores pkcs12 etc. Otherwise this approach can be seen in the Middle Assaults Is susceptible to the person)

2 - Increase the web service soap message with WS-Security and use the client and server Clients and server certificates To sign up / encryption, and use Taimstamping services.

You can still force the connection ... but it will not need ... and its still weak.

On one side note that IP spoofing was used by Kevin Mitnick against Shimmora ... so it is possible and not very difficult. I am sure that your device is based on OS version such devices Those who already automate most of the process.

IDs It's nice to hear what others think, hope it helps.


Comments

Post a Comment

Popular posts from this blog

asp.net - Javascript/DOM Why is does my form not support submit()? -

-
This is my first time working with asp.net and javascript, so I do not know very good web resources, or Much about javascript debugging I have to find out that on line oFormObject.submit (); Microsoft JScript Runtime Error: Object does not support this property or method I am using the link to work as a button because I am terrible in aesthetics and I think That link will look more professional than a table of 50 buttons. I have read that this solution can cause problems with browsers due to pre-rendering of my links and many additional traffic and problems, but CSS gives me a button like a link, which has issues of alignment and difference seemed to. & lt ;! DOCTYPE HTML PUBLIC "- // W3C // DTD HTML 4.01 // N" "http://www.w3.org/TR/html4/strict.dtd"> & Lt; Html xmlns = "http://www.w3.org/1999/xhtml" & gt; & Lt; Head & gt; & Lt; Link rel = "stylesheet" type = "text / css" href = "defect differen
Read more

sockets - Delphi: TTcpServer, connection reset when reading -

-
I am trying to implement one for Delphi, but there are some problems with communication. Fitnesse will start my process, and give me a portmember as a command line argument. Then I should make a socket on the port number given to me, and fitness will connect to that port I am using a TCPCP server for the job: < Pre> TcpServer1.LocalPort: = ParamStr (ParamCount); TcpServer1 Active: = true; On OnEXEPT () -Event, I send the protocol version to use as specified in the protocol. Process TForm1.TcpServer1Accept (From: TOBject; ClientSocket: TCustomIpClient); Var s: ansistring; Start clientSocket. Syndrome ('slim - v 0.0', # 10); SetLength (S, 6); ClientSketts Receavebook (S, 6); End; When I call ReceiveBuf (), the process ends, and fitness throws an exception: java.net.SocketException: connection Reset I have seen what sent and received. It shows that my code sends the protocol version, fitness sends back a message, and when I try to get this message
Read more

javascript - Classic ASP "ExecuteGlobal" statement acting differently on two servers -

-
I have a strange problem that I really do not know. In addition to developing a new ASP.NET site, I have to support the old "classic ASP" site. It is written in VBScript with a batch of JavaScript functions. Many of the JavaScript functions include 'files' Everything is fine on our production system (which security is controlled by another group - this is a military installation) Debugging them once did not work I). However, I have a fix for a vague bug that needs to be fully tested and some functions do not run under the "local" copy of the website that runs on my PC. For the record, I am running IIS 5.1 on XP. The problem is that some Javascript functions are running "OK" on the production server, but when they use it as a server, they are not defined on my PC what is happening that last Programmer, for some reason, has decided to put some functions in a series of files, which according to the observations, imitate the "need_once
Read more