NetCoreDataAdapter Security Concerns

[noob]

im using Js version of stimulsoft and .Net8 (Net Core) as server side data adapter processing from your github open source project (https://github.com/stimulsoft/DataAdapt ... taAdapters).

I've set data adapter URL like this =>

Code: Select all

StiOptions.WebServer.url = "/DataAdapters"

when the viewer makes request to data adapter url with an encrypted request body that contains SqlConnection strings and sql command text and some others parameters.

that encrypted data can be decrypted easily by:
1- Use ROT13 method https://github.com/stimulsoft/DataAdapt ... er.cs#L170.
2- from step 1 you get a valid base64 string then decode that base64 then you will get a plain json text that have all sensitive information.

so isn't that a security issue ??

Regards.

[noob]

See attached image that i debugged from Chrome Developer Console.

the server information and sql command is visible and anyone with Developer console can catch that.

[Lech Kulikowski]

Hello,

We need some time to analyze the issue. We will let you know about the result.

Thank you.
#13534

[noob]

Hi,

any updates?

[Lech Kulikowski]

Hello,

If you can define the encryption type, then whatever we use differently, you still have the opportunity in Debug mode of the browser to view the data.

If it is necessary to hide, we recommend overriding the parameters for the request on the server side.

Thank you.