I'm making a uploading program, though its just come to my thought of .exe .net decompliers. I want to know is it safe to put my FTP details in my program?
Depending on how you use the program. If it is only for you, then this should be OK, but I won't recommend doing it if you distribute the app somewhere.
Simplest way to see the strings in the program is using strings command on Linux or its equivalent on Windows - described here. This will show you the strings that are present in the file, and may be even simpler than obfuscating the code.
If you are going to distribute the app, I would suggest either:
Adding some configuring section, where the user himself enters the credentials, or
Permission the FTP to anonymous login correctly and let the users log in with anonymous login. It will have the same security strenght as adding the password to the file. This may be useful for just downloading the data, but won't really work for uploads, as anyone would be able to fill your FTP with any data. For that, you'll have to use the first way.
Related
Im using basic auth in nginx, no issue there, but i would like to limit the number of distinct locations a user is authenticated,
The end goal is to prevent user sharing access data to website, since the website does real time "monitoring" of some data, i wan't that if the same user/pass combination is used from another ip, that or either both users stop getting data,
or one of them stops getting data.
I don't think that is a good idea, because a user may log in via pc and mobile phone at the same time and has two different ip addresses that way. Also http-auth isn't designed to do what you want it to. It would have to remember the ip-address and make it expire somehow, when the user leaves without logging out. Altogether would it be difficult to guess for how long the session is valid. Another problem is, that most users don't have static IPs and get disconnected by their providers every 24 hours. What happens if that occurs after a valid login?
The most popular method to deal with this kind of problems are session-cookies. These can be described as a one time password and you can use that for as long as you want or until it expires. SessionIDs are usually saved in some kind of database and making those sessions unique would not be a big deal and may therefor be what you want. Luckily the
ngx_http_auth_request_module would allow you to only implement this missing part and would bring you as close as you can get without developing your own nginx-module (see https://www.nginx.com/resources/wiki/modules/ for available modules).
On the other hand: Don't do that. Seriously. If you care for security, do not try to reinvent the wheel and use something, that has already proven. E.g. ngx_http_auth_jwt_module allows you the use of OpenID, which also sets you free from saving sensible user data on your server (because nobody wants to save passwords unless it is absolutely necessary).
Both of these methods require nginx-modules, which may not be installed on your server. If you don't have the permissions to build them, I would suggest to add that to your question, so that others can suggest solutions for non root servers.
If you want to keep it simpler you should also consider to generate download links each and every time and save ip-address and download link address in a database. Delete entries when a user downloads that file and you are done. For that to work you can use the
Content-Disposition: attachment; filename=FILENAME-HTTP-Header, so that your download.php doesn't save a file that called alike.
May be you can also find some kind of javascript to replace ngx_http_auth_jwt_module and use OpenID with http-auth. That can work, because it is possible to do the authentication with ajax as well.
Last but not least: If you still want to do http-auth, also use HTTPS, because your passwords won't be encrypted by this auth-method by default.
What you want to do is unusual so you will need to write a lot of the logic to handle the process.
Your code will need to store a User ID and IP Address pair for each loged in user and validate each attempted log in against this. As the previous answer pointed out, you will need to expire logins etc. Basically, you need to roll a session handler.
This is not impossible or particularly difficult but you need to write it yourself in one of the scripting languages available to Nginx which are either Perl, which is not recommended due to limited ecosystem in Nginx, or Lua, which is highly recommended due to the massive Nginx lua ecosystem (used by Cloudflare for instance).
You will need to compile in the 3rd party Nginx Lua Module and associated modules or just uninstall Nginx and use the Openresty Bundle which already has everything you will need included instead ... including Redis for storage if you need to scale up.
Here are some tools you can use as your building blocks
Openresty Session Library
Openresty Redis Session Library
Openresty Encrypted Session Module
Note that you can implement Openresty stuff directly in Nginx if you wish without having to run Openresty as it is just a convenient bundle of Nginx and useful module.
I have a client who wants me to automate certain document processing work.
There is this pdf that can only be opened by sending in username and password to a DRM server.
When I open it using Acrobat, I see this.
I have the username and password, courtesy of the client.
Issue is how do I automate this?
I have done web scraping before, where I automate a web login so that I can execute certain routine tasks.
But this is the first time I am trying to automate an authentication that does not occur inside the browser.
How do I go about doing this?
Companies pay a lot of money to do exactly not this. http://www.adobe.com/devnet/reader/topic_drm.html. I suspect the amount of effort to do this will not be worth it, especially if you are going to try and dive into the actual protocols/plugins used and hook in directly. This would be very implementations specific and likely to break in the future.
Your best bet is to leverage the existing Adobe Application and wrap it in an Automator script. Unfortunately, OSX specific.
They won't have generic workflow hooks, so the quick and nasty way would be to just record yourself doing it once, and play it back time and time again.
Workflow:
Drag PDF onto custom app
Automatically populate username
Automatically populate password
If you are looking for somewhere to start: http://www.macosxautomation.com/automator/features/virtual-user.html
The DRM module itself can set permissions about how you can print and re-distribute the files itself, you won't be able to get around any of that, but assuming you have all the permissions set correctly, you should at least be able to automate opening the file itself on OSX.
I'm not new to programming and software development but I am new to password safe application in VB.
I have created a password safe application where you can add and remove passwords and usernames. But of course, if you exit the application the information goes away. I know you can use the settings to save user data but it's not quite what I'm looking for, or is it?
I have heard that VB can save text and information to a text file or an xml file and retrieve it later. Is there a certain keyword or term for this that I could google and learn about, or a web link? This would be very helpful! Thanks!
P.S. If you need anymore info i would be glad to edit this post
I am now motivated to explore a coding language so that I can make the best solution possible.
But I am not sure of the capabilities of all coding langugages, so I am asking for advice.
I want to automate some of the daily processes I do at the office. There is an external database on the internet that we use. We access it with a smart card and secured http.
In short, these are the actions that I do each time I restart the browser or a session ends:
Open a Secured HTTP. /....jsp
After being promted I choose an installed certificate
A smart card is called and I enter a PIN. /charismatics smart security interface/
The page asks me to log in with a username and password.
I open the desired link.
I extract the data from the opened webpage manually.
Is it possible to have all these action automated by code?
THANK YOU FOR ANY SUPPORT
If you get a PIN screen from the charismatics smart card security interface instead of from the operating system then it it may be very hard to automate this. Your program is unlikely to get access to the PIN popup Window.
If you get the PIN prompt from a CSP (as you mentioned in the comments) then it may be possible to automate the PIN login. The PIN is normally used to set up the SSL/TLS connection, so having it open in the browser won't help you much, unless you program the browser itself.
If you are bound to CSP's it may be best to keep to C#/.NET. There are of course bindings for other runtimes, but it is better to have as much control as possible.
You may want to take a look at topics such as parsing HTML, because that's something you certainly need to do. Life becomes a lot harder if the web-pages are filled in using JavaScript, so you may check for that first.
Now if you want to manually choose a link you may want to render the page in your own application and handle the download yourself.
This is certainly not a task I would recommend when starting off on an unknown programming language. I would find this a tricky task - there are a lot of ifs left with this description.
I am trying to use BetterAuthorizationSample rather then go the so called "malicious" way of using setuid in order to get root privileges.
Currently I am using AuthorizationCreate(); with BLAuthentication to have root access to changing some files, but I am somewhat irritated by the fact that I have to constantly enter my password in every time the app launches.
So I came across Apple's method of a HelperTool, and I just can't figure it out.
I've been working with Cocoa for a couple months now, but this is just out of my reach, yet I still need it. How would I implement this tool to do simple root-privileged tasks?
Is there a simpler way to use the concept of a HelperTool, so that my users can just enter their password once and it would grant root-privileges forever?
The "modern" way to do a helper tool on Mac OS X is to ship it as part of your app, and use the ServiceManagement framework to deploy it. Your users enter their password once, when deploying the tool. That installs it as a launchd job; from then on you use any launchd on-demand mechanism to launch the helper and get it to do work for you.
Notice that the blog post linked above recommends that you protect subsequent invocations of the helper with an Authorization Services escalation, to avoid having an arbitrary privilege escalation that anyone can use. This seems like it somewhat impacts the "users can just enter their password once" benefit, although you can use AuthorizationRightSet() to create your app's authorization token in the policy database, so you can actually define whether users need to present passwords on first deployment.
The sample code from that post is on GitHub, and demonstrates using ServiceManagement to deploy the helper tool and Authorization Services to control access to it.