Tuesday, May 17, 2022

CORS with Windows Authentication in IIS

This post is about web security. How to enable CORS when the producer uses Windows authentication¹. The primary technology stack used here is Microsoft.Net.

Background

The web works on WebAPIs. WebAPIs are the entry points to consume services produced by producers. Often, the WebAPIs are exposed to the web applications published by the same producer. Say, Yahoo Finance is exposing WebAPIs to retrieve financial data. If they don't protect the API, anyone can build a web application by consuming the Yahoo Finance API. They can place Google ads for monetization.

To prevent that, browsers have a mechanism. That will allow sites to call APIs having the same domain name. But, there will be genuine situations to allow cross-domain access. An application needs to call a WeatherAPI exposed in a different domain name..

CORS

Cross-Origin Resource Sharing comes to help when we want to control who can call our APIs. It is based on headers. We can summarize as follows
  1. The browser asks the producer whether it allows the current application's domain name to call API
    1. It's called preflight using the HTTP OPTIONS verb.
  2. The producer responds to the browser with whether it allows calls from the current domain name. Including what HTTP verbs are supported. 
Read the Mozilla docs² for a better understanding.

If the producer is using ASP.Net Framework technology, they can specify who can access it by having the below web.config entries.

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="Access-Control-Allow-Origin" value="https://consumer.com" />
        <add name="Access-Control-Allow-Methods" value="GET,POST,OPTIONS" />
        <add name="Access-Control-Allow-Headers" value="*" />
        <add name="Access-Control-Allow-Credentials" value="true" />
      </customHeaders>
    </httpProtocol>  
 
Hope the above code snippet is self-explanatory. It allows the https://consumer.com domain to access the producer's APIs only using HTTP GET, and POST verbs. It is possible as the producer is sending these custom headers whenever any call is made to it.

The same can be done using C# or VB.Net code as well.

Problem

This works great for most of the scenarios other than Windows authentication. When the producer is using Windows Authentication, things go wrong. The reason is preflight request doesn't have any authentication information. The producer will fail the preflight request. Causing the browser to cancel any further requests.

Solution

The Windows authentication is normally enabled at the webserver level. If it's ASP.Net on .Net Framework, there will be web.config. Follow the below steps
  • The preflight requests should be anonymous
  • To do that have <authorization> tag as follows 
<authorization>
      <allow verbs="OPTIONS" users="*"/>
      <deny users="?" />
</authorization>

Now anyone who is hitting the OPTIONS endpoint will have the custom headers even if the authentication is windows.

How to do this in ASP.Net Core?

The ASP.Net Core model uses middleware technology to achieve the CORS headers³. The <authorization> tag mechanism is achieved by Authorization middleware. 

References

Tuesday, May 10, 2022

Some thoughts on obfuscation

Long long ago I was given the special task of hiding code. Hiding code..what? Yes, we have to deliver code in such a way nobody should be able to reverse engineer.

Background

There are many scenarios where the software needs to be resistant to reverse engineering. Some situations below.
  • Some product companies (often referred as client companies) don't want to hire engineers instead they outsource to vendors. Vendor normally one of consulting companies in India or a US-based consulting company that has offices in India. The clients want competition among vendors to get the price reduction. The competition among vendors sometimes goes to situations where one vendor points out issues in another vendor's code. Of course with the help of reverse engineering powered by decompilers.
  • When a product company release game that has monetization feature, they need to make it resistent to reverse engineering. Regardless they follow old spend to play or modern web3 based play to earn model.
  • When product is licensed with a key that should be purchased. Most of us are remembering the days where cracks were floating around that cracks anything from Photoshop to Windows Os itself.
Hence distributing software that is resistant to reverse engineering is critical for many businesses.

Approaches

Hosted service

Someone can reverse engineer the code, if the code is given to the client and client share the same. Stop that at the first place by
  • Hosting core logic as service by vendor.
  • Creating a client app for the client to use those services. This will not be having any critical IP.
  • If the core logic is algo the client's data will just be transiting throught vendor premise.
  • Else the client's data will be stored on vendor premise.
Client companies may not like this as they would like to own the code not the engineers.

But if we are product company, we decide how to architct and deliver our product. We never share the source with consumers and they don't have any say in it.

Give installer bianaries

There is another way by giving only binaries to the client. Never the source code. Some client companies will agree to this model but some may not.
Still the vendor is not protected from reverse engineering. Client company can give the binaries to other vendors who then can reverse engineer. Its easy if its managed languages such as Java, C# ets...

If we are product company, we can decide to give only binaries but still vulnerable to reverse engineering.

Just google for Java decompiler or .Net Decompiler to get started on the reverse engineering journey. If the application is buitt using JavaScript or Python then its already plain code due to their interpretive nature.

Obfuscation

How to protect Java and C# binries from reverse engineering? The obfuscation comes to help. What is obfuscation? 

Obfuscation the act of making the mesage difficult to understand. It should not change the behavior of the code.
 
How it helps to address the problem? 

Compile the code to obfuscated form. Then deliver those binaries. Even if other vendors get it, they need to spend enormous amout of time to revers engieer and find flaws. 

Obfuscation is not making the code protected from reverse enginering, but it delays the reverse engineering.

The decompiler will still work with obfuscated code but the names of variables, methods, classes all will be renamed to cryptic words. 

Obfuscation in .Net

Thats kinda introduction. Now let us talk about real programming stuff as the title says. How to obfuscate the .Net assemblies (IL code not really binaries)?

To obfuscate there are lot of tools. 
Detailed comparison of different tools is not in the scope of this tool. Please refer other links.

Problems with obfuscation

There are problems with obfuscation.
  • We can't reverse engineer - In case we are not sure what assembly is in production and want to check intended code is present we ourselve be in trouble
  • Reflection will break - If we are creating object of a class using its name in a string variable, it will break as the class names are changed by obfuscation process.
I started writing this post long ago. Now a days in the world of open source, I am not sure anyone obfuscating the code unless its really necessary.

Reference

Tuesday, May 3, 2022

Pipelines ➤ Platforms ➤ Protocols - Developer version

This is my interpretation of the below article from the medium.

https://medium.com/bosonprotocol/pipelines-to-platforms-to-protocols-reconfiguring-value-and-redesigning-markets-548b1fffc84

Why my own interpretation?

The mentioned article is discussing how industrialization started, and how it disrupted the market leading to the creation of value as pipelines. Then how it's disrupted by the platforms and finally how the protocols are becoming the future disruption.

Not sure how many of my readers understood the above statement. I faced the same problem. But I somehow got a feeling that there is value in the article. I read it, again and again, to understand what is it? Finally, when I felt I understood something, I thought of writing my own interpretation for the fellow readers like me who can't understand that in the first place. Especially software engineers.

Its the readers choice to read my article first then the original or viceversa

First, we need to be familiar with the 3 terms mentioned in the title.

Pipelines

What
  • One producer to many consumers.
  • Manufacturers set up assembly lines of production and a global supply chain to deliver goods.
  • It is mostly linear from souring raw material, running a production factory, transporting to the consumer market, advertising, selling, and after-sale support.
  • The producer is mainly responsible for finding and reaching out to the customers.
  • If malpractice or hacking succeeds, only the producer and its consumers will be affected.
Examples
  • Car manufacturing, Textile, Electronics, and consumer goods where producers reach out to consumers.

Platforms

What
  • Many producers and many consumers interact within a centralized platform that verifies the transactions.
  • Distributed production than centralized production in pipelines.
  • The platform basically provides market infrastructure and matches supply and demand. Uses personal matching preferences too.
  • Platform charges fees or makes use of producer and consumer data to make money.
  • Less privacy as the platforms need personal information.
  • A producer can become a consumer and vice versa quickly. eg: Yesterday I stayed on Airbnb, tomorrow I am listing my basement. I read and write posts on social media like Facebook, Twitter
  • Platform decides the rules for producers and consumers and standardizes interaction.
  • Internet is essential to sustain platforms though there were old platform models such as farmer's markets, and shopping malls that connect producers and consumers.
  • Malpractice or successful hacking into the platform affects relatively a large population that is on the platform.
Examples
  • eCommerce - Amazon, eBay, etc.
  • Apple app store, Play store, etc...
  • Social media & news - Twitter, Facebook
  • Publishing - Blogger, WordPress, YouTube, etc...
  • Transportation - UBER, Lyft
  • Hospitality - Airbnb

Protocols

What
  • Decentralized blockchain and smart contracts govern the transactions.
  • Transactions verification and enforcement of smart contracts can be done by producers and consumers or third-party miners.
  • The contract code is auditable by the market players than a document given by the platform owner.
  • The protocol doesn't provide market infrastructure. Instead, it encourages players to set up by giving protocol tokens. Token value is directly proportional to the usage of the protocol.
  • NFT (Non-Fungible Tokens) helps producers establish and transfer property rights. Consumers get verifiable asset ownership.
  • Identity protection.
  • Governments have less control except to identify a bad actor and request everyone else not to work with the bad actor.
Examples
  • Metaverse. (Infrastructure will be provided by metaverse developers and device manufacturers where the value is stored and transferred using underlying blockchain and smart contracts)
  • Financial protocols such as AAVE
  • The NFT market such as OpenSea

What is the takeaway?

Now we understood some terminologies. Let us see what the article says.

During the pre-industrialization era, production was decentralized into small units without leveraging technology. Then the pipeline model came with the help of the steam engine followed by electricity. It revolutionized production. Then platforms came and won the market with the advanced technology of the internet. Often we can see when the company that follows the pipeline model competes with a company following the platforms model in the same business domain platform model is winning.

The future is of protocols. Protocols are expected to win when competing with the platform business models. 

Should all businesses move to protocols?

I am not sure at this point. If there is a monopoly, you may continue your pipeline business model. Indian railway is the biggest monopoly I have ever seen. But they are also trying the platform model by inviting private train operators. That will help them compete better with the other means of transportation.
The same applies to the stock exchange which provides a platform for buyers and sellers. I am not aware of any protocol where I can buy actual Apple (AAPL) stocks in whole or as fractions without paying the brokers. Oh maybe having a look at Terra Luna Mirror protocol, may change our perspective. But still, traditional exchanges have a monopoly.

What does it mean to developers?

We are in the early days of platforms to protocol transition. Kind of how people were wondering what to do with the internet in the 90s. Below is my advice to fellow developers. This is applicable if you are not afraid of change, to be in the market to build great products and make more money.
  • Learn how the protocols world works. Think about how it can be used in the real world. Get hands dirty with protocol code ie write smart contracts.
  • If your company is still following the pipeline business model and platform competitors are coming to the domain
    • Try to convince the company to transform into a protocol model skipping the platform model.
    • Or at least to platform
    • Move to a platform company, in case change is considered an enemy in your company.
  • If your company is in a successful platform business
    • Try transforming to a protocol model.
    • Move to protocol business company, if the change is not welcomed.