locked
Are Silverlight Apps Affected RRS feed

  • Question

  • User1718006580 posted

    Are Silverlight applications vulnerable to this exploit?

    Tuesday, September 21, 2010 2:16 PM

Answers

  • User315336256 posted

    I'm not sure how we will be hiding the plain text values.  I'm assuming with a visible = false or whatever the equivalent is in SilverLight (I'm programming DB and Business Layer, not UI).


    This is where you're going to have a problem.

    Your current application sounds like this:

    Authenticate > Assign Role
    Silverlight (Requests Data) > WCF Service > Silverlight (Receives Data > Hides Data Based on User Role) 

    Let's say I am an authorized Level 1 user. I take a look at the code and see that you're not letting me see Level 3 information by hiding it through the UI. I will then create an application which makes the same exact calls to the WCF RIA Service and retrieves the information.
     

    Your application should be structured something like this: 

    Authenticate > Assign Role
    Silverlight (Requests Data) >  WCF Service (User Role Meets Requirements to Receive Data) > Silverlight (Receives Data)
    Silverlight (Requests Data) > WCF Service (User Role DOES NOT Meet Requirements to Receive Data) > Silverlight (Receives Error)


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 5:05 PM

All replies

  • User315336256 posted

    Please provide more feedback.

    What ASP version is on the server? (You might still be susceptible to the web.config download hack)
    Are you using web forms authentication and roles or authenticating using silverlight?
    Are you storing any information in session cookies?

    Tuesday, September 21, 2010 3:27 PM
  • User1718006580 posted

    We are on .NET 4.0.

    This is a extranet application and we are using Windows Authentication.

    To my knowledge we aren't storing anything in cookies.

    Tuesday, September 21, 2010 4:39 PM
  • User2025044020 posted

    Yes, all versions of ASP.NET are affected. You should implement the workaround. 

    Wednesday, September 22, 2010 9:59 AM
  • User315336256 posted

    If you're on .NET 4 then you should DEFINITELY apply the fix because your web.config file can be downloaded. 

    If your Silverlight app is consuming a WCF service and that service also lives in ASP then you will need to apply the fix to that service as well.

    As a side note: please remember that a Silverlight application is downloaded and runs from the user's local machine. You have to be really careful about how authentication and roles management is implemented because anybody can unzip the xap file, go through the code with .NET Reflector and figure out how to get past your authentication or roles implementation. (I'm talking about things like it's not enough to use visibility to hide certain screens or functionality from users)

    Wednesday, September 22, 2010 1:02 PM
  • User1718006580 posted

    If you're on .NET 4 then you should DEFINITELY apply the fix because your web.config file can be downloaded. 

    If your Silverlight app is consuming a WCF service and that service also lives in ASP then you will need to apply the fix to that service as well.

    As a side note: please remember that a Silverlight application is downloaded and runs from the user's local machine. You have to be really careful about how authentication and roles management is implemented because anybody can unzip the xap file, go through the code with .NET Reflector and figure out how to get past your authentication or roles implementation. (I'm talking about things like it's not enough to use visibility to hide certain screens or functionality from users)

    Thanks.  I'm actually the DBA and only helping out on the C# side and wanted to get some information. 

    We are using RIA Services and, honestly, I don't really understand how that ties with WCF, although I know that they are related in some way.

    Your side note was very interesting to me because I was having a discussion with one of the other developers about where encryption and decryption of data should take place, especially since this is dependent on the role a user is in.  We are currently decrypting data in the DAL and only hiding the plain text value on the client.  Based on your comment I'd think we might want to go away from that and only decrypt the data on the server side if the user has rights, which was the way I was advocating, but not being an expert on the application development side I went along with the developer.  I'm not saying they are wrong, I'm just saying that this adds some more information to think about.


    Thanks again.

    Wednesday, September 22, 2010 6:43 PM
  • User315336256 posted

    SQLWiseGuy,

    You're absolutely right.

    Treat Silverlight like this: Anyone who has access to our application has access to our source code. So we have to code as if we were creating an open-source application. I have personally taken an existing application which was built in Silverlight, taken its dlls from the xap file and included them in my ASP.NET project. After that I was able to create classes and methods and call the same exact wcf services that the Silverlight application was calling. Furthermore I used the .NET Reflector to get the source code of the classes and recreate them as I saw fit. 

    Where does the DAL live? Is it part of the Silverlight application? (As files or included DLLs?) How are you hiding the plain text values?

    [EDIT] - You might want to think about integrating webforms authentication and only serve up the silverlight client to authenticated users.

    Thursday, September 23, 2010 4:30 PM
  • User1718006580 posted

    SQLWiseGuy,

    You're absolutely right.

    Treat Silverlight like this: Anyone who has access to our application has access to our source code. So we have to code as if we were creating an open-source application. I have personally taken an existing application which was built in Silverlight, taken its dlls from the xap file and included them in my ASP.NET project. After that I was able to create classes and methods and call the same exact wcf services that the Silverlight application was calling. Furthermore I used the .NET Reflector to get the source code of the classes and recreate them as I saw fit. 

    Where does the DAL live? Is it part of the Silverlight application? (As files or included DLLs?) How are you hiding the plain text values?

    [EDIT] - You might want to think about integrating webforms authentication and only serve up the silverlight client to authenticated users.


    Thanks.  

    The DAL lives on the server  all we pass up the stack are POCO objects.  I'm not sure how we will be hiding the plain text values.  I'm assuming with a visible = false or whatever the equivalent is in SilverLight (I'm programming DB and Business Layer, not UI).

    We are requiring authentication before serving up the SL client so we are good there.  You have to have permissions to get it.

    Thursday, September 23, 2010 4:45 PM
  • User315336256 posted

    I'm not sure how we will be hiding the plain text values.  I'm assuming with a visible = false or whatever the equivalent is in SilverLight (I'm programming DB and Business Layer, not UI).


    This is where you're going to have a problem.

    Your current application sounds like this:

    Authenticate > Assign Role
    Silverlight (Requests Data) > WCF Service > Silverlight (Receives Data > Hides Data Based on User Role) 

    Let's say I am an authorized Level 1 user. I take a look at the code and see that you're not letting me see Level 3 information by hiding it through the UI. I will then create an application which makes the same exact calls to the WCF RIA Service and retrieves the information.
     

    Your application should be structured something like this: 

    Authenticate > Assign Role
    Silverlight (Requests Data) >  WCF Service (User Role Meets Requirements to Receive Data) > Silverlight (Receives Data)
    Silverlight (Requests Data) > WCF Service (User Role DOES NOT Meet Requirements to Receive Data) > Silverlight (Receives Error)


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 5:05 PM