0

Tell me please, Silverlight business applications are secure?

As far as I know, the user can get .xap file from local computer's cache which loaded application, or directly if known file name and location (it is written in HTML code) - just type it in address bar of browser and file will be downloaded. (Question 1: is it normal? Or maybe, some specific hosting's settings can deny directly downloading?)

There is the most interesting thing - so, user, once download web-page, has a .xap file in the file system. Now Question 2: Does the user can open (I mean, decompile) this xap file and thus get a lot of data, including check for a specific role of the user and so on? In the code I have periodically checking for the presence of an authorized user in a particular role. Depending on this, it may be provided by different content. p.s. of course, I know about server-side checking role by attributes, speech not about this. Plus, I use the MEF modularity, and, for communication between modules I have used global library project with communication interface. Does information passing between modules can be stolen?

Next. The web.config file, which contains some application settings, further has a Database connection string with login-password information. There is Question 3: web.config, safe enough to store such data?

And the last question - SSL connection. I know, I need to pay for use this. Anyway, Question 4: How SSL it can protect the application and containing the data (in a business application)?

Mans7
  • 30
  • 6

1 Answers1

2

Question 1. The xap file must be accessible by the end user, and therefore I don't think you can stop an authenticated user from getting it from the server. And even if it isn't available, the user can find it in their browser cache.

Question 2a. Yes, the user can decompile the xap. It is just a zip file. Rename to zip, extract the contents, view with Reflector etc. Have a play around with Silverlight Spy and you can also see some interesting stuff. You can use an obfuscation tool on your assemblies, which is a useful deterrent, but even that could be decompiled by someone with sufficient resources / energy.

Question 2b. I think it would be possible to see 'information passing between modules', as a Silverlight app can be debugged using WinDbg. Once again, obfuscation will at least help deter casual introspection.

Question 3. Yes, web.config should be safe, unless you go out of your way to expose it.

Question 4. SSL won't prevent any of the introspection issues on the xap file listed above, but will stop people sniffing the traffic. The only problem you will have is how to mitigate a man in the middle attack (where a proxy substitutes in its own certificate). There are ways to mitigate this but I don't know the best practice off the top of my head.

Based on the questions you have asked, here is a risk you should mitigate. Imagine the user connects to your SL app, logs in, then you fetch their 'roles' from the server. If they had decompiled your xap, and figured out they need to be in the 'admin' role to open up access to everything, they could put a proxy in-between the SL app and your server and modify the responses so that the SL app thinks they are in the 'admin' role. This is a man in the middle attack where the end user is trying to hack the system. Even if you are using SSL this is possible, because the proxy will use its own certificate and the end user can add the proxy's certificate into their trusted certificates store.

I have never been able to properly solve the above risk on the client side. I have made it difficult for a hacker by using obfuscation, and adding a custom header to the requests/responses which was effectively a checksum with a hidden private key to encrypt the checksum. However if the end user managed to de-obfuscate / decompile the xap, they would theoretically be able to find the private key and see my encryption algorithm, and therefore be able to substitute in a new checksum after altering the 'role' in the above example.

In summary, I have concluded it is impossible to properly secure the client side. And if you deem the risk sufficient, it is best to duplicate the authorization on the server.

For example, if it is a requirement that a user must be in the 'admin' role to view 'customers', then I will display the 'customers' screen on the client if the user is in the 'admin' role. However, on the server, when the SL client calls the service to fetch the 'customers' data, I also check the current authenticated user has permission to see the data (as opposed to see the screen).

user381624
  • 676
  • 1
  • 5
  • 21
  • user381624, can you please, tell me more about: 1. "and adding a custom header to the requests/responses which was effectively a checksum with a hidden private key to encrypt the checksum." - I do not know how to implement this one. Please, if you have a time, give me some advices or links to samples. 2. "duplicate the authorization on the server." - do you mean 2 attributes in DomainService class like [RequiresAuthentication] and [RequiresRole("admin")]? – Mans7 Mar 06 '13 at 14:56
  • 1
    1. It depends on what client library you are using to communicate with your services, but all of them will let you access the underlying WebRequest headers, and you can then just add your own key/value pair. eg http://stackoverflow.com/questions/8434357/how-can-i-add-htt-request-header-to-silverlight-ria-requests – user381624 Mar 06 '13 at 23:51
  • 1
    1b. There are lots of variations on the checksum, and you don't have to go that far. In one application I set it up so the server passed the silverlight app an sessionkey (timestamp in my case) on login. then, on every request to the server, the client would add 2 headers -> SessionKey:Value EncryptedSessionKey:Encrypted value. The server checks the sessionkey is still current, then checks the EncryptedValue is correct. I hard coded the same 'salt' value, effectively a private key, into both the client and server.http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net – user381624 Mar 07 '13 at 00:22
  • 1
    2. It depends on how you are building your services. It sounds like you are using RIA services, which unfortunately I don't know a lot about. However it must have a way to do authorization at the entity / query level. – user381624 Mar 07 '13 at 00:29
  • Yes, I'm using RIA services. Thank you a lot! I would like to contact you via mail, but StackOverflow policy deny any communication except questions and answers (and comments). Anyway, thank you, again! – Mans7 Mar 07 '13 at 22:57