Creating reports and dashboards | Stimulsoft community forum

Posted: **Sun Jan 14, 2024 5:48 am**

im using Js version of stimulsoft and .Net8 (Net Core) as server side data adapter processing from your github open source project (https://github.com/stimulsoft/DataAdapt ... taAdapters).

I've set data adapter URL like this =>

Code: Select all

StiOptions.WebServer.url = "/DataAdapters"

when the viewer makes request to data adapter url with an encrypted request body that contains SqlConnection strings and sql command text and some others parameters.

that encrypted data can be decrypted easily by:
1- Use ROT13 method https://github.com/stimulsoft/DataAdapt ... er.cs#L170.
2- from step 1 you get a valid base64 string then decode that base64 then you will get a plain json text that have all sensitive information.

so isn't that a security issue ??

Regards.

Posted: **Sun Jan 14, 2024 6:41 am**

See attached image that i debugged from Chrome Developer Console.

the server information and sql command is visible and anyone with Developer console can catch that.

Posted: **Mon Jan 15, 2024 7:54 am**

Hello,

We need some time to analyze the issue. We will let you know about the result.

Thank you.
#13534

Posted: **Sat Jan 20, 2024 6:10 am**

Hi,

any updates?

Posted: **Mon Jan 22, 2024 9:13 am**

Hello,

If you can define the encryption type, then whatever we use differently, you still have the opportunity in Debug mode of the browser to view the data.

If it is necessary to hide, we recommend overriding the parameters for the request on the server side.

Thank you.

Creating reports and dashboards | Stimulsoft community forum

NetCoreDataAdapter Security Concerns

NetCoreDataAdapter Security Concerns

Re: NetCoreDataAdapter Security Concerns

Re: NetCoreDataAdapter Security Concerns

Re: NetCoreDataAdapter Security Concerns

Re: NetCoreDataAdapter Security Concerns