5

I already read Securing AJAX Requests via GUID and Securing an ajax request . Now let me explain my scenario, below would be code snippet that may aid at explaining in the subject matter.

[WebMethod[EnableSession = True]
[ScriptMethod]

    public static string CreateTitle(string strTitleName)
    {
    string strResult = "Custom jSon string";
    if(Session["Authorized"] == "True" && !String.IsNullOrEmpty(strTitleName))
    {
         String strTitle = Server.HtmlEncode(strTitleName);
         InsertRecordInDB(strTitle);
         strResult = "Custom jSOn string" + EncryptMD5("record id");
    }
           return strResult;
    }

and below is the javascript call to send in the parameters. btnCreateTitle_click is the click event of the button client side. txtTitle is the textbox accepting the title name. Validators are created on the page to validate the textbox too.CreateTitle is a page method i call using scriptmanager

function btnCreateTitle_Click(evnt){
if(Page.ClientValidate()){
if($get("txtTitle")){
PageMethods.CreateTitle($get("txtTitle").value,success,failure,context);
}}}

the function success shows a growl message that title was created and shows a link with encrypted record id as query string to the url to view the details of created title.

Now the burning question,

  1. IS this secure enough? What am i missing?
  2. How could i make the process more secure and faster?
Cœur
  • 37,241
  • 25
  • 195
  • 267
Deeptechtons
  • 10,945
  • 27
  • 96
  • 178
  • what does encrypting the record id give you? do you salt it? is it to stop users guessing other id's they don't have access to? Encrypting it won't help that much. Without knowing how your authenticating clients, it's hard to say. Cookie based auth is usually secure enough and you can always run it over ssl. – Simon Halsey May 19 '11 at 10:27
  • @Simon yeah i salt the record Id and also while running a transaction i make sure the person is updating the record that he has created/access to. – Deeptechtons May 19 '11 at 10:29
  • what aspects of security worry you - what problem are you trying to solve? – Xhalent Jun 03 '11 at 23:18
  • @Xhalent Well i am exposing the Database record Id as plain encrypted text, someone can send spoofed data with this record Id(or am i mistaken). But fundamentally only authenticated members access the page[Forms Validation]. Does webservice check for `potentially dangerous input` like webform does? have more questions but wanted to get these points answered first – Deeptechtons Jun 04 '11 at 06:52

1 Answers1

4

While it is trivial to restrict any method to authenticated and authorised users, when you expose db id's in query strings you do open the possibility that an authenticated and authorised user may seek to access records that they aught not. This is particularly so when the db id's are integers or some other easily guessed identifier. Using Guids as db ids may mitigate the risk of this, though not absolutely.

What you always need to remember is DO NOT TRUST INPUT. Security through obscurity (ie encryption etc) is not a reliable technique. Your service should always verify the the current user is allowed to retrieve the records they have requested. Sometimes this is known as row level security. This can only be done programmatically.

eg instead of only determining that someone is authorised to view a record, you need to verify that they have rights in fact to access the record they are requesting.

This means you need some way of relating records to an authenticated user.

BTW: any HTTP request is validated for potentially dangerous input.

Hope this helps,

Xhalent
  • 3,914
  • 22
  • 21
  • that was more promising answer than expected. So i will have to program more for security. Also encryption is also not so reliable i feel. thanks – Deeptechtons Jun 05 '11 at 16:54
  • This is obviously the answer you were looking for. I deleted my answer as it is more of a suggestion of implementation rather that a good explanation. You do can demand certain roles using IPrincipalPermission attribute and some work to make it work with custom roles it seems. – Ernesto Jun 06 '11 at 13:51