I have two asp.net mvc web applications; one is an ERP system for managing our assets and the other is a scanning service that offers services to scan servers and vms and update the ERP database with the scan result. Now for example inside the scanning service I have the following action method, which can be called by passing a security token & the server name we want to scan:-

public async Task<ActionResult> ScanServer(string tokenfrom, string FQDN) 
{
    //get the token from the web.config, this should be encrypted
    string Token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];

    // check if the request is authorized by checking comparing the 2 tokens.
    if (tokenfrom != Token ) 
    {
        return new HttpStatusCodeResult(403, "request failed");
    }

And the above action method will be called from the ERP system using the following action method:-

[HttpPost]
[CheckUserPermissions(Action = "", Model = "Admin")]//check if the user is defined as an admin inside my custom authorization system
public async Task<ActionResult> Scan()
{
    try
    {
        using (WebClient wc = new WebClient())
        {
            string url = currentURL + "home/scanserver?tokenfrom=" + token + "&FQDN=allscan" ;
            var json = await  wc.DownloadStringTaskAsync(url);
            TempData["messagePartial"] = string.Format("Scan has been completed. Scan reported generated");
        }
    }

Now, after reading and searching, I realize that the above approach is not 100% secure because currently any user who has access to the ERP or to the network scanning servers, can see all the URLs which contain the token as a plain text. This is because servers store all the GET requests inside their logs as a plain text, even if the urls are send/received over https as in my case.

So, I modified my webclient which sends the token as shown below. Currently, the token will be sent as part of the request authorization header, instead of being part of the query string:

using (WebClient wc = new WebClient())
{
    string url = currentURL + "home/scanserver?FQDN=allscan" ;
    wc.Headers.Add("Authorization", "MyToken " +
    Convert.ToBase64String(
    Encoding.ASCII.GetBytes(token)));
    var json = await  wc.DownloadStringTaskAsync(url);
    TempData["messagePartial"] = string.Format("Scan has been completed. Scan reported generated");

}

but i have these questions:

  1. Is my above method correct of sending a parameter named "Mytoken" inside the authorization header?

  2. how can I get this token on the receiver application?

  3. now on the serve logs will the authorization header be displayed as a plain text? or it will be encrypted? or do I need to send a POST request instead of get?

Related posts

Recent Viewed