0

In my WinForms app, I have a login window that uses a web service in order to authenticate the username/password in order to grant access. The problem I am seeing is that once I compile my app, it generates an appname.exe.config which has the URL of the web service endpoint.

It seems that this URL can be modified by the user in a text editor. Will that not makes the application easier to crack since the person can just run a dummy web service with the same method names and change the URL in the config file and simply return "true" in order to gain access?

Is there a way to get visual studio to not use the app.config to store the URL and have it hardcoded in my app so it can't be changed with such ease? If I simply delete this config file, I get an error that the default endpoint element could not be found.

Any guidance would be greatly appreciated.

Irshad Ahmed Akhonzada
  • 1,340
  • 13
  • 23
A K
  • 110
  • 1
  • 7
  • Possible duplicate of [Encrypting connectionStrings section - utility for app.config](https://stackoverflow.com/questions/5803188/encrypting-connectionstrings-section-utility-for-app-config) – Handbag Crab Oct 01 '18 at 16:19

1 Answers1

1

How are you calling the web service? Are you doing it in code or by another way?

Maybe you can create a static class to storage your web service URL and get the URL to use a method like staticClass.getURL().

Irshad Ahmed Akhonzada
  • 1,340
  • 13
  • 23
Mauricio Reis
  • 86
  • 1
  • 7
  • I am calling it in code. Looks like the default constructor always uses the app.config file but there are other overloads that lets me specify the endpoint address manually, which will work in my case since i can simply hard code my URL and even if there is a app.config present, it will not be used. Thanks for the help! `BasicHttpsBinding binding = new BasicHttpsBinding(); EndpointAddress address = new EndpointAddress("https://url/service.asmx"); WebService.WSSoapClient myService = new WebService.WSSoapClient(binding, address);` – A K Oct 01 '18 at 16:41
  • Just to point out that if your ultimate goal is to *properly secure your application* this isn't a solution. You should invest in an approach that proves the user was properly authenticated e.g. your authentication service can issue a JWT that the client application can verify. – Amith Sewnarain Oct 05 '18 at 18:31