All geek questions in one place

Silverlight Capture Question

Lets say that the silverlight application uses Webservice, for example, to perform a login operation and obtain a security token to allow further webservice calls.

And webservice sets clientaccesspolicy only for my SL application.

If the catcher tries to host this application without any changes, he will not be able to make anything work, since his hosting address will be different (I hope that I am right if you do not name this Q1)

But instead, he can simulate my web service on his own platform, change SL to call his service instead of mine (which will allow access), and inside his web service just redirect all calls to my initially protected silverlight calls, but not protected direct service services.

I think this apporach allows me to steal my application without any problems, how to protect it if what I write is correct? (Q2)

Calls to my service will be transparent to the violinist, etc. its not so difficult to create a simulated service and redirect SL to it, I think.

+4
source share
2 answers

To ensure that a particular client connects securely to your web service, issues certificates (through a different channel) and uses the certificate to encrypt the transmissions. A person in an average attack will fail if you accept only an ssl connection encrypted / signed with these certificates.

+1
source

I think I got an idea that might work.

Basically, about implementing IP verification of a request for webservice calls, this would make it a little slower, but we can test some strange situations and block IP addresses if they happen.

For example, if there are 5 different users sending requests from the same IP address (for example, on the same day), we block this IP for a certain period of time (during the day, week or forever).

This is a bit heavy, but I think there can be no other solution for this.

0
source

Source: https://habr.com/ru/post/1347860/

More articles:


All Articles