Authorization between Delphi app and web server - authorization

I have Lazarus(quite a lot like Delphi) application which downloads few files from https://example.com/UpdateFolder. And i was wondering if anything can be done in order for APP to know that it is downloading files from right website? Because if I am right there is a way for hacker to trick APP into going to different website and downloading wrong files and I think it is done somehow by editing system32/driver/etc/hosts file. I would appreciate any suggestions

It depends entirely on your application that downloads the files. If it's able to handle SSL you have nothing to worry about AFAIK, since you need a trusted certificate before it'll make the connection, which will be hard to fake with a Windows host file edit.
Alternatively, and this is why we have domain names in the first place - so a last resort, you could hard-code the IP address of the server that contains the updates and do a trace to make sure the IP of the website your application is connecting to, is the same one you have on file.
However, this makes it very difficult if that IP changes, since you then need to roll out a new update of your entire application (or dll's responsible) just for that, and makes the process that much harder to maintain...

Related

Change Azure App API in real time

Prior to migrating from Mobile to App Services I could change node.js APIs in real time. Now changes seem to take an undetermined time to go live. I don't know if they're now being compiled or cached anywhere along the way. Ideally I would like to regain the ability to effect immediate change.
Technically, there is a file watcher that watches a subset of the files in your site - when you change one of those files, the site is meant to restart, thus making your change go live. This is configured in the web.config file which is a part of your site.
Make sure that the web.config is configured to watch the files you are interested in.
Restarting the site manually is a backup step that is effective.

Website move: how to block/detect all HTTP requests to old domain

I'm moving a website from old.com to new.com/old, but I have to make sure it works before deleting old.com.
It's a very large legacy website that probably has links, images, scripts and other things hardcoded to old.com. The problem is that these references to old.com aren't obvious since the site loads up perfectly since old.com is still up.
Is there a way to block all requests to old.com from my local machine only, or some other tool to make finding these references simpler?
The former is done by updating your hosts file on your local machine to point old.com to something else, this overrides what the internet DNS states. The latter very much depends on how your application is build and there is not enough info here.

Win 8 js code security

Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx

Automatic file selection for upload

Is it possible for a website to automatically find a folder on usb stick and upload all the files in it to the web server by clicking only one button?
The problem is that I don't know how to make upload form automatically detect usb stick as the drive name(ie. G:, F:, etc) may vary from computer to computer, so hard coding path is not possible.
Ps. I'm using yii framework for site development, but can add a new page that will handle this in any other language as the client really wants this feature.
Web sites are not allowed to set default files to upload (it's a major security risk!). Also, web sites cannot scan the hard drive/enumerate what file systems exist on a system, again, for security purposes.
It might be possibly to do this with Flash/Silverlight/Java. Java seems the most likely to allow a web developer to do this (Java plugin seems to be quite willing to give out every permission under the Sun).
Short answer: No.
Long answer: Allowing automatic uploads in web browsers would be a huge security hole so the browsers intentionally prevent it. Even if you manage to find a hole that permits it, the browser makers will break it as soon as they find out.
However, if you have an environment where an actual separate program can be installed on the end user's computer you could easily write a program to do automated uploads of specified directories when launched.

How Adobe AIR application can find out what URL it was downloaded from?

We have an Adobe AIR application which could be possibly downloaded from multiple domains. And when it's run, it should connect back to the site it was downloaded from to get data to show to the user.
So far we have a separate application build for each domain with a site URL hardcoded into it. And I wonder is there a way for AIR application to find out at runtime the URL (or at least domain) from which it was downloaded?
What we would like to have is a single downloadable binary served from all different domains, which still can know it's origin URL.
There's no function to retrieve such information, it would just make no sense if you think about it.
The most stable way is to include an external configuration file into the package.
Note that you can use ANT to automate this process for this final deployment.
There's no direct way to do it.
Here are some options which come in mind:
Build different versions for each site (this could be automated)
Let user choose the site at first launch
Try to guess it using using whatever resources you have (timezone, language, etc)
How should this work? The only solution i see (independent from AIR) is that you deliver an extra (properties) file with the application, containing the URL downloaded from. So you dont need to build a separate app for each domain, but only package a different domain-file with it. The app then reads this file and executes some context sensitive stuff.
I am trying to address the exact same issue right now.
It looks like you can modify the install badge to pass parameters to the air app.
From what I gather the values are only passed down on install or launch-from-badge.
Something I plan on researching is that one of the parameters in "AIRBadge.as" is _appURL which is the URL of the page the badge is on. I don't yet know if that value makes it down to the installed AIR app in some way; but it could be a useful property. I'm ultimately hoping that the AIR install process injects that into the application descriptor xml, but I'm not holding my breath.
Check this page out: http://archive.davidtucker.net/2008/01/10/air-tip-5-passing-arguments-to-an-application-on-install/#
When the user downloads, you could store their IP address in your central DB. Then when the app is installed and runs the first time, the app could hit your central DB to match up their IP address with the server they downloaded from.
A cookie with a specific name being stored on a download page, and the AIR app looking for that? Though that might not work for direct downloads. It might also be hard to pull off since knowing the specific browser used to download it would be an issue.