Zulumander Posted June 15, 2013 Share Posted June 15, 2013 Hi. I recently developed a .NET Program (including GUI) which would send data to a website/dir/script.php by using the GET Method. However people are able to scan the program to find the path of the Script, and add in their own $_GET Data like Username=user&pass=pass, etc. I want to block how they manage to input their own data, and just allow it through the program. I know this may sound stupid, and probably is very delicate thing to do, but I really do need it. The reason it should require the program, is because it uses the Machine's HWID to make sure they only do the Form 1 time a day (Data inserted to MySQL DB) Currently they are for example changing their HWID everytime they do a new request. So my question is, is there any way to block user-input of GET variables ? Quote Link to comment Share on other sites More sharing options...
Christian F. Posted June 15, 2013 Share Posted June 15, 2013 You cannot make it 100% safe, but you can make it a bit more troublesome. The easiest way to do so, is to implement SSH and asymmetric encryption to your application. Note that even if you encrypt all of the communication, you have still given the user the key to said encryption. That means that they can still find this key, and send whatever input they like to the PHP page. Which means that you have to secure the PHP application properly in any way, to ensure that people are not able to attack your site easily. That said: There are no quick fix for anything when it comes to security, and it is an ongoing process during the entire planning, programming and maintenance stages. What steps you need to take depends upon all other choices you've done, and what capabilities you want to have in your code. Quote Link to comment Share on other sites More sharing options...
Zulumander Posted June 15, 2013 Author Share Posted June 15, 2013 Thanks a lot for helping! Well, I did a sneaky thing by reversing the Username & Password $_GET values to be rendered useless, by using Session instead. Because the program requires authentication before sending the parameters, so now it'll base it on those paramters instead. So now they cannot do that to the Script that actually is worth protecting However, if they find the link to the Authentication Script, they may just as well be able to do the very same thing again. I'm stumbled. Quote Link to comment Share on other sites More sharing options...
trq Posted June 16, 2013 Share Posted June 16, 2013 A few ways you can do this sort of thing, but one simple way is to create a unique key using a salt that only you know about. In your program, get all the details you are going to send into one string, eg; $s = "username=foo&data=bar"; Hash this string along with your salt and append it to the actual string. $s = "username=foo&data=bar"; $hash = sha1('somesalt' . $s); $s = "username=foo&data=bar&key=" . $hash; Now, on the receiving end make sure that the data within $_GET['key'] equals the entire original string. You can even add a timestamp to this sort of thing so that a request only has a short lifespan before it needs to be regenerated again. This is how we do all our app to app api calls at work, simple, yet effective. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 16, 2013 Share Posted June 16, 2013 Dumb question: Do you need to send the data via GET? Something like what you describe just screams POST to me. Quote Link to comment Share on other sites More sharing options...
Zulumander Posted June 16, 2013 Author Share Posted June 16, 2013 Dumb question: Do you need to send the data via GET? Something like what you describe just screams POST to me. You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET. And thank you, trq, for the input, I will give it a go. Quote Link to comment Share on other sites More sharing options...
Zulumander Posted June 16, 2013 Author Share Posted June 16, 2013 (edited) A few ways you can do this sort of thing, but one simple way is to create a unique key using a salt that only you know about. In your program, get all the details you are going to send into one string, eg; $s = "username=foo&data=bar"; Hash this string along with your salt and append it to the actual string. $s = "username=foo&data=bar"; $hash = sha1('somesalt' . $s); $s = "username=foo&data=bar&key=" . $hash; Now, on the receiving end make sure that the data within $_GET['key'] equals the entire original string. You can even add a timestamp to this sort of thing so that a request only has a short lifespan before it needs to be regenerated again. This is how we do all our app to app api calls at work, simple, yet effective. I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt" Then wouldn't they be able to just get a Free-web host, and get the parameters like this: echo sha1('somesaltusername=myuser&password=mypass'); And eventually do it as http://link.com/to/script.php?username=myuser&password=mypass&key=WhatTheScriptEchoed Technically? Edited June 16, 2013 by Zulumander Quote Link to comment Share on other sites More sharing options...
kicken Posted June 16, 2013 Share Posted June 16, 2013 I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt" The main idea is that your average user/script-kiddy isn't going to either be able to, or take the time to try and extract the key/salt from your software. Someone who does decide to try and extract the key/salt from the program could continue to generate their own requests. Quote Link to comment Share on other sites More sharing options...
trq Posted June 17, 2013 Share Posted June 17, 2013 You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET. .Net is quite capable of sending POST requests. I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt" When you said "scan", I thought you meant they where watching the requests it was making, not scanning through the actual code. It's .Net, can't you compile it? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 17, 2013 Share Posted June 17, 2013 You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET. Like trq said, and in doing web-based .NET work myself, .NET is definitely capable of sending a POST request. Indeed, that's how both ASP.NET and ASP.NET MVC work. There's absolutely no reason why you can't use the System.Net.Http namespace and send a HttpRequestMessage to your other script. Really, you should probably be using ASP.NET MVC from the start if it's supposed to be web-based. Quote Link to comment Share on other sites More sharing options...
trq Posted June 17, 2013 Share Posted June 17, 2013 I recently wrote a SSO web part for Sharepoint in C# using the mechanism I described above via POST so I know it's possible. Quote Link to comment Share on other sites More sharing options...
Zulumander Posted June 17, 2013 Author Share Posted June 17, 2013 The main idea is that your average user/script-kiddy isn't going to either be able to, or take the time to try and extract the key/salt from your software. Someone who does decide to try and extract the key/salt from the program could continue to generate their own requests. I understand the idea, and of course they may have a difficult time figuring out the key's encryption, I'm just saying it would still be possible if they're capable enough, and I understand that's an inevitable factor which nobody can deny. But I also see where you're coming from, stating average user/script-kiddy, seeing as the people I'm talking about aren't exactly 'big-crackers' so to speak, so I totally agree with you. .Net is quite capable of sending POST requests. When you said "scan", I thought you meant they where watching the requests it was making, not scanning through the actual code. It's .Net, can't you compile it? I never bothered with POST Requests through .NET mainly because I had no clue it actually worked. I was told so by my teacher back in College. I guess he wasn't much of a teacher, then.. I'm sorry for not being literal on the 'scan' part, I meant that they decompiled the Program itself, and just read bits and pieces of fragments of the code that remained, and eventually put together the required pieces for the 'recipe' (Link + Paramters). I have currently solved the solution by over-extending your suggestion of using a Key. This is what I did: Note that when I said Webbrowser, I was also not specific. What I meant was it's a hidden Browser which the user can't see nor navigate through, so all Requests to the pages, are hidden. 1. Created a very long Hash Key (no encryption yet) 2. Added the Additional User Crendetials (Everything combined) to the Hash (Hash &= Extras) 3. I then encrypted the Key, X amount of times, and used it to send as a parameter to the webscript. 4. Additionally, I exaggerated the security check by encrypting the Username & Passwor X amount of Times, that are also sent to the Script. 5. The receiving end - The Script - then checks if the Key matches the Script's Generated Version of the Key, and also checks if the Session's Username & Password matches the Hashed Username & Password sent from the program, to the script. 6. I compiled the Program 7. I obfuscated as much as I possibly could, making it more difficult to read & crack. 8. Shared it with my large playerbase. This seems to have worked out thus far, and I'm hoping it will stay that way. I thank you for your help, it's appreicated. I'd also like to ask how You'd send POST Requests from .NET, like Let's say I grab the User's HWID, and there's a type="hidden" field of the POST Form, how would I make the Script determine that the hidden field for HWID, should contain the details of .NET's variable that grabs the HWID? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 17, 2013 Share Posted June 17, 2013 (edited) How are you sending the GET request? Functionally, GET and POST are very similar - they're just key-value pairs. If you can grab the HWID and stuff it in a pair for a GET request, you can definitely do the same for POST. In terms of actually sending the requests, that's a bit out of bounds on a PHP forum, but like I wrote earlier, look at the System.Net.Http namespace and the HttpRequestMessage class (MSDN is your friend: http://msdn.microsoft.com/en-us/library/system.net.http.httprequestmessage.aspx -- if that doesn't match your version of .NET, search for what will match your version). You likely don't need your hidden browser, either, as a browser is not required to send HTTP requests. Look at cURL as an example. You can just have whatever UI you're using tell your underlying process to send a HTTP request to the other script, then display the results. Even better, you can do it in a RESTful way, meaning only using GET to retrieve information, and using POST to create/update/send data (like a user login). EDIT: And yeah, your college teacher sounds like he didn't know what he was doing. .NET has never not been able to send POST requests. Web forms/ASP wouldn't work without it. Edited June 17, 2013 by KevinM1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.