Application Security Testing: An Integral Part of DevOps
When we use the .Net HTTP classes to do, say, downloading, we need to set its proxy because some computers, especially those in a large coporate companies, cannot access internet directly, they can only do so though a web proxy server. As we all know the WebProxy.GetDefaultProxy method, to get the IE web proxy setting, is deprecated in .Net 2.0 and greater. Not many people know of its replacement methods. For replacement, you can use WebRequest.GetSystemWebProxy static method or WebRequest.DefaultWebProxy static property. Below is a code example of how to assign WebRequest.GetSystemWebProxy to HttpWebRequest.Proxy.
HttpWebRequest request = WebRequest.Create("Enter some valid url here") as HttpWebRequest; if(request==null) return false; System.Net.IWebProxy iwpxy = WebRequest.GetSystemWebProxy(); request.Proxy = iwpxy; HttpWebResponse response = request.GetResponse() as HttpWebResponse; // do your downloading here response.Close();
Note: This method gets the IE proxy setting and it only works if the user uses Internet Explorer and therefore sets the proxy setting; if this user use sother web-browser as his/her default web browser, not using IE at all, he/she may not be bothered to set the proxy setting in IE. Here is a tip to get Firefox proxy setting. The steps are defined below.
- Go to %USERPROFILE%/Application Data/Mozilla/FireFox folder.
- Open the profile.ini file. (Be careful here because each firefox user can have more than 1 profile)
- Read the StartWithLastProfile value under "General" section in the profile.ini
- Find the profile which matches its value in IsRelative value under "ProfileX"(X is a numeric value) section
- Read the Path value under "ProfileX"(X is a numeric value) section
- And append this Path value to the previous path, %USERPROFILE%/Application Data/Mozilla/FireFox
- Parse and search for the 2 statements below to detect the proxy IP address and its port. Note: xx is the arbitrary value.
- user_pref("network.proxy.http", "xx.xx.xx.xx");
- user_pref("network.proxy.http_port", xxxx);
- If you cannot find these 2 values, it means proxy is not used because its settings are not set.
- Use the above 2 values only if you can find this statement "user_pref("network.proxy.type", 1);" which means proxy use is enabled, else proxy is disabled if that statement is not present.
- Note: Proxy is disabled, if "user_pref("network.proxy.type", 0);" is found
Note: If you get an 407 error of "HTTP Error 407 - Proxy authentication required" message, you need prompt your user to get the his/her user name and password for the proxy to pass them to the Credentials property. And of course you need to store them somewhere encrypted and safe because you do not want to prompt the user for the same credentials, everytime you need to access the internet. Remember to encrypt them and not save them as plain text for security reasons! If the user is using his Windows credential, you can access his credential using System.Net.CredentialCache.DefaultNetworkCredentials. Do not store Windows user name and password on your own because your method, can never be as secure as Microsoft, which may leads to security vulnerabilities which in turn cause customers to shun your product!
- 6th February, 2010 : Cleaned up the code and added DefaultNetworkCredentials information.
- 16th October, 2009 : First Release