2

In a .net program, if we want to stop Web Debugging Proxy from capturing the requests from the program via setting the IE/Edge proxy port to itself, we can use App.config to set the default proxy to false. By this way we can protect the mechanism inside to some extent. However, the config is naked outside that the user can change it easily if the user wanted to hack the program have basic knowledge of CS. So, is there anyway to make it inside the code so that the hacker will have to decompile to hack?

T.Worm
  • 382
  • 2
  • 11

2 Answers2

1

As Gabriel mentioned , Simply don't specify Proxy settings as hardcoded one. Find a way to serialize your data in unknown format if security is required.

So, is there anyway to make it inside the code so that the hacker will have to decompile to hack

You can easily see source of DLL by using ildasm.exe unless some additional steps are taken . Please have a look- How can I protect my .NET assemblies from decompilation?.

If you are using: WebRequest class Have look at WebRequest.DefaultWebProxy Property , setting it to null it would not take any proxy. https://learn.microsoft.com/en-us/dotnet/api/system.net.webrequest.defaultwebproxy?view=netframework-4.7.2#System_Net_WebRequest_DefaultWebProxy

If planning to use HttpClient class - you may need to pass custom handler ,WebRequestHandler should do the job by setting UseProxy to false .https://learn.microsoft.com/en-us/dotnet/api/system.net.http.webrequesthandler?view=netframework-4.7.2

Update: Adding note as not able to comment: Even HTTPS traffic can be decrypted easily in case of proxy server.

mbshambharkar
  • 386
  • 4
  • 13
-1

Don't. For a couple reasons (at least):

  • In some networks, sometimes the only way to reach the internet is through a proxy. If you hardcode your program to not use a proxy, then you will break it.
  • There is no way to stop people from seeing the traffic. I can use Wireshark to see everything that a proxy could see.

Instead, just encrypt your traffic (if you're using a web service, use HTTPS). Then even if it goes through a proxy or a network sniffer, it's not readable anyway.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • No, it's normal http/https request from httpWebRequest to normal public URL that I can not encrypt it(but do you have any solution for this?). Wireshark is invinclble, but it's much harder for the hecker to use, for the hecker I may be facing is improbably able to use it. Besides, if there's a way to do this programmatically, when the situation you mentioned appears(unable to reach the internet), I can still switch to normal way(default proxy). – T.Worm Dec 15 '18 at 02:16
  • If it's a normal HTTP**S** request (not HTTP) to the Internet, then you have nothing to worry about. It's automatically encrypted for you. The whole point of HTTPS is to prevent interception. – Gabriel Luci Dec 15 '18 at 04:11
  • But I don't want the user know neither where I access nor modify the data returned to hack. You can image I am doing something simple to do software verification and validation as workaround when I don't have my own server. – T.Worm Dec 15 '18 at 04:45
  • If you use HTTPS, no one can see or modify the data in transit. Changing the proxy won't hide anything. HTTPS will. – Gabriel Luci Dec 15 '18 at 12:32
  • There are reasons you might want to bypass a web proxy script. For example you want to access a webservice that provides say stock ticker or weather or some mundane data. Who cares if that request is in the clear. – Ken Jun 05 '23 at 18:22