locked
Simulate Read, Insert, Update and Delete Operations of Lightswitch entities using Fiddler RRS feed

  • Question

  • How can you simulate Insert, Update, Delete and Read Operations of Lightswitch entities using Fiddler?

    Friday, October 9, 2015 11:17 PM

Answers

  • Security is one of the most important aspects of applications. It is crucial to implement the security server side.

    If you "secure" your application making, for example, client side controls read-only, then a malicious user can bypass your security invoking http commands directly to your middle tiers oData endpoint.

    One way to proof that your security works is using Fiddler to do this http commands invokations and inspect the results. Finally I managed to invoke all CRUD operations of a Lightswitch application with Fiddler.

    Security auditing some applications of our company we managed to discover many security holes. After this experience our new policy of Lightswitch application development is the following:

    1. Develop screens and let all controls be configured as updatable (text boxes instead of labels, phone editor instead of phone viewer etc.)

    2. Secure the involved entities server side using _isReadOnly, _CanInsert, _CanRead, _CanDelete, _CanUpdate, _filter (Row Level Security), _Inserting and _Updating.

    3. After checking, interacting with the screen, that the server security works, make the necessary screen controls read-only in order to deliver a better user experience.

    When I have the time I will inform how to invoke Lightswitchapplication's CRUD operations from Fiddler.

    • Edited by Jean Pierre Chauny Wednesday, October 14, 2015 8:16 PM
    • Proposed as answer by Angie Xu Wednesday, October 21, 2015 7:50 AM
    • Marked as answer by Angie Xu Thursday, October 22, 2015 1:30 AM
    Tuesday, October 13, 2015 12:33 PM

All replies

  • Hi,

    Fiddler is a tool that every web developer and IT administrator should have at their disposal.  It logs all web traffic between your computer and the IIS web server.  It seems that Fiddler can't do what you described above.

    With regards,

    Angie


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, October 12, 2015 8:53 AM
  • Security is one of the most important aspects of applications. It is crucial to implement the security server side.

    If you "secure" your application making, for example, client side controls read-only, then a malicious user can bypass your security invoking http commands directly to your middle tiers oData endpoint.

    One way to proof that your security works is using Fiddler to do this http commands invokations and inspect the results. Finally I managed to invoke all CRUD operations of a Lightswitch application with Fiddler.

    Security auditing some applications of our company we managed to discover many security holes. After this experience our new policy of Lightswitch application development is the following:

    1. Develop screens and let all controls be configured as updatable (text boxes instead of labels, phone editor instead of phone viewer etc.)

    2. Secure the involved entities server side using _isReadOnly, _CanInsert, _CanRead, _CanDelete, _CanUpdate, _filter (Row Level Security), _Inserting and _Updating.

    3. After checking, interacting with the screen, that the server security works, make the necessary screen controls read-only in order to deliver a better user experience.

    When I have the time I will inform how to invoke Lightswitchapplication's CRUD operations from Fiddler.

    • Edited by Jean Pierre Chauny Wednesday, October 14, 2015 8:16 PM
    • Proposed as answer by Angie Xu Wednesday, October 21, 2015 7:50 AM
    • Marked as answer by Angie Xu Thursday, October 22, 2015 1:30 AM
    Tuesday, October 13, 2015 12:33 PM