Hugoware

The product of a web developer with a little too much caffeine

Dude, For Real — Encrypt Your Web.Config

with 5 comments

After I released my web.config encryption utility I expected the world to transform into a Utopia of protected web.config files and happy developers. However, shortly after the tool was released I actually received some disagreement about the usefulness of web.config encryption.

Based on some other comments I received I got to thinking — I not sure that some people realize how possible it is to lose a web.config from a simple programming mistake.

But The Web.Config Is Safe — Right?

Sure, your web.config is safe by normal means. Just try it – find an ASP.NET website and just try to browse to their web.config file — See! it’s safe!!

True, your web.config is safe – but what about a programming mistake? Those never happen, do they? Are you sure?

One of my favorite examples is the file download. Sometimes we want to serve up content as if it is a download instead of showing it in the browser. That said, here is an ASP.NET MVC example of why you ought to go on ahead and encrypt that web.config file just to be on the safe side.

//MVC Action to download the correct file From our Content directory
public ActionResult GetFile(string name) {
    string path = this.Server.MapPath("~/Content/" + name);
    byte[] file = System.IO.File.ReadAllBytes(path);
    return this.File(file, "html/text");            
}

Seems reasonable enough – Other than error handling, do you see anything that looks out of place with this code? We map to the correct directory, we get the bytes for our file and return them to the visitor — You can even try it out.

/Home/GetFile?name=File.txt
bug-1

Cool, see how our file downloaded – Works great! But let’s be a little sneaky and play with the URL at the top. How about we do something like…

/Home/GetFile?name=../web.config

bug-2

Did you just get a sudden feeling of dread? Did you just shout ‘Oh Snap!’ loud enough that all your peers are staring at you? What do you suppose is in this file we just downloaded? I’ll give you three guesses, but I’m taking two of them away…

bug-3

It’s not hard to miss something — after all that’s why it’s a bug, because if we thought of it then it wouldn’t be there to begin with. Web.config encryption == cheap insurance.

Prying Eyes

I got this comment the other day and it was absolutely brilliant — Rob Thijssen wrote…

Encrypting configs in enterprise applications is definitely worth the time. Many companies allow contractors access to source code repositories that contain unencrypted configs that contain credentials which can be used to gain access to sensitive information. I have seen implementations where credentials were available to hundreds of developers that could give any one of them access to thousands of credit card details…

And he’s absolutely right. Do you want just anyone passing through the directory to have access to read the sensitive data inside your web.config? Just because they didn’t have hack into your server doesn’t mean they need to be reading the passwords to your SQL servers.

Dude, For Real — Just Do It

Web.config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server, but if you ever have that ‘uh oh — someone just downloaded my web.config’ moment, then at least you know you’re covered.

Advertisements

Written by hugoware

July 22, 2009 at 10:16 pm

5 Responses

Subscribe to comments with RSS.

  1. I think that a developer that make nothing to secure a file download, upload or sanitize user-submited content deserve to get hacked big time.

    Besides, it gives you the false impression of having a secure application. What about the .aspx files ? .mdf files ? .cs files ? (just to name the most common).

    Actually, I quite agree with the idea of encrypting the web.config file. But your exemple deserves your point imho. Good idea tho.

    Bishop

    July 23, 2009 at 12:11 pm

    • I certainly agree with you, this was to illustrate the point that it doesn’t take much to leave yourself open.

      The context of this sample originally was the “junior developer” that wanted to have a download dialog box.

      Thanks!

      webdev_hb

      July 23, 2009 at 12:19 pm

  2. It only really protects folk who haven’t considered the impact or scope of their script, anyone who knows a bit would protect those file extensions. That said totally support what you are doing, web.config is not a file you want downloaded, and certainly not in plain text.

    Cheers

    Ollie

    Ollie

    July 23, 2009 at 4:13 pm

    • I agree – Encryption covers you for the unexpected, which is IMO the main reason that you should do it.

      Developers that have been programming for awhile should know better — but if not then at least the damage has been minimized.

      webdev_hb

      July 23, 2009 at 4:38 pm

  3. Great post and thx very much. it certainly worth the time to ecrypt it

    ASM

    February 20, 2010 at 2:18 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: