Web API - Blocking server-specific calls

Asked

Viewed 202 times

0

Well I have the following doubt, after implementing the CORS in an application, I saw that there is still a security breach that is, if an application(Postman, Curl) make direct calls on the server they will still be answered.

I would like to know how to block calls that are not from the Url’s allowed directly on the server. Or you can implement some other direct validation in oauth to block accesses other than those Urls?

  • but you want to restrict only to calls from the environment itself or a Whitelist?

  • Show your CORS implementation and if you want to restrict the entire application, some controllers, actions or methods

  • Then, after some time and a little more research, I managed to carry out the blocking through an i.p. filter where I have a Whitelist and through a delegating Handler I perform the filtering of i.p’s that can access my owin application.

1 answer

0


Then I managed to block the application in another way, through I.P. Through some researches I saw that this was the best solution to apply in the system, which is a Owin system.

Solution:

Follows the solution:

 public static string GetIP(this HttpRequestMessage request)
        {
            if (request.Properties.ContainsKey("MS_OwinContext"))
            {
                return HttpContext.Current != null ? HttpContext.Current.Request.GetOwinContext().Request.RemoteIpAddress : null;
            }
            if (request.Properties.ContainsKey("MS_HttpContext"))
            {
                return HttpContext.Current != null ? HttpContext.Current.Request.UserHostAddress : null;
            }
            return null;
        }

    public static bool AllowIP(this HttpRequestMessage request)
    {
        string whiteList= ConfigurationManager.AppSettings["whiteListIp"];
        if (!IsNullOrEmpty(whiteList))
        {
            string[] ipList = whiteList.Split(';');
            var ipAdress= request.GetIP();
            bool ipAllowed = ipList.Where(x => x.Trim().Equals(ipAdress, StringComparison.InvariantCultureIgnoreCase)).Any();
            return ipAllowed;
        }
        else return true;
    }

Filter:

    public class AllowedIpFilter: DelegatingHandler
        {
            protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, 
CancellationToken cancellationToken)
            {
                if (request.AllowIP())
                {
                    return await base.SendAsync(request, cancellationToken);
                }
                return request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Access denied!");
        }
    }
  • you could use the CORS notes

  • I am also using, but CORS does not block applications that do not use the CORS standard, ex: Postman, Calls from other direct applications on the server, etc... So I added this filter to increase security of access to this application.

  • Even if you restrict source addresses?

  • 1

    That’s right, addresses are defined, but they can still be accessed by other means that do not implement the standard. As far as I have read and understood, correct me if I am wrong, CORS only works for applications or system that implement this standard, ie browsers.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.