Scriptico

How To Secure Your Application (Flex + Remoting/RPC)

In the following article I would like to show how to secure a Flex application which uses RPC (remote procedure calls) to communicate with the server-side. The article consists of three parts:

  1. A simple use-case and the problem description
  2. How to hack a Flex application
  3. How to secure it

The problem is not related to a particular product. However, the solution provided above is oriented only for WebORB for .NET. Well, let’s move forward to the step #1?

Simple Use-Case and The Problem Description

Let’s asume we have a simple server-side class with only one method with the following signature:

public String GetMyString()

The client-side is a flex application wich uses AMF/RPC to invoke methods on the server class. The workflow is pretty simple – make an RPC call, get the server response, and display the invocation result. Complete application project you wil find in the end of the article.

Now, let’s look at the problem. The problem is that anyone can call your service and if the service is not secured, it may cause a number of issues such as loss of critical data, provoke or even shutdown your system and so on. You must be thinking “but I have the cross domain policy in place…”. If that’s the case, it is great. However, it will work for flash clients, but it is useless with any other client type (java, c# (in a standalone .net app), python etc). Surprised? Before moving forward, I would like to say that the following information is not an instruction for how to hack a Flex/Flex site and it is written only for the educational purposes. I am not responsible for any damage to any sites. Ok, the next step shows the problem in action.

How to Hack It?

Let’s deploy the application from the step#1 (you will find the source files below) and make a call from the client application. Our service method returns the “Hello, Client” string. Now, install any AMF proxy client (it must understand AMF calls). I do prefer AppPuncher for many reasons, and you can what kind of information it provides from the screenshots and descriptions below. However, you can also use Charles or any other product of the same nature. The next step is to run the AMF proxy client and make one more call to the server and then analyze request/response data. Let’s consider the following screenshot.

As you can see, the request contains the following information:

  1. URL – the server-side endpoint
  2. Operation – the service method name
  3. Source – the service name (actually, it is a Package.Class name)
  4. Destination – the service destination

 

 

 

 

 

 

 

 

 

 

Now, we need a simple java client in order to  make a call to the service method and in the attachment you will find a complete eclipse project (but you still need an amf java client library provided by WebORB). The java client code is simple and clear, so I will not bother you with an explanation.

Ok, the client is ready, so let’s make a call and see what we get back. The following screenshot shows the invocation result:

Unfortunately (for the owner of the service), we were able to get data from the server without any problems.

 

 

 

 

 

 

 

 

 

How to Secure It

Luckily, it is not hard to secure our application. The approach described below is applicable only when you use WebORB for .NET and is already described in the midnight coders official documentation. If you use WebORB for Java, you should read this part of the WebORB documentation in addition to this article. In general, the solution is to create a custom authentification handler and register it in the weborb.config file. The client-side of the application must require user credentials. When WebORB receives a request with user credentials, it delegates the processing to the authentication handler. The following code demonstrates a sample handler:

public class MyAuthHandler : IAuthenticationHandler
{
#region IAuthenticationHandler Members
public IPrincipal CheckCredentials(string username, string password, Weborb.Message.Request message)
{
string exUser = "george";
string exPass = "jimbeam";
string[] exRoles = new string[1] { "MegaDude" };

if (!username.Equals(exUser) || !password.Equals(exPass))
throw new WebORBAuthenticationException("Invalid username or password");

GenericIdentity identity = new GenericIdentity(username);
GenericPrincipal principal = new GenericPrincipal(identity, exRoles);
 return principal;
}
#endregion
}

Ok, now let’s improve the client side code. The following code shows how to specify credentials before the call:

...
_service.setCredentials(ti_username.text, ti_password.text);
_service.GetMyString();
...

Build it, run and make a call without credentials. You should getting an error! Try entering wrong credentials. Error again! The approach works with the flash client but what about our java client? The same story – you can’t make a successful call without right credentials. So, looks like the problem is solved. If you do not agree, please post a comment ;)

Resources

 

Category: Action Script, Flex, WebORB (.NET)

Tagged: , , , ,

Leave a Reply

*