tags:

views:

54

answers:

1
+5  Q: 

How to Snoop proof your wpf application?

Snoop allows you to look inside the application and change element properties. Its a great asset for developers, but can be a security issue in some cases, like when we have users who like to look in places where they shouldn't be looking. Is there a way to do something to block applications like Snoop from "snooping" your application?

And if there is no way to block it, what do you recommend to do to minimize security risks?

Snoop is a utility that allows you browse visual tree of a wpf application and view and change properties. Its very useful when you are trying to debug something and have no idea what is going on. You can find more here.

Thank you.

+2  A: 

By implementing security properly. If your "security" can be thwarted with a tool like Snoop, then you're doing it wrong.

Suppose there's a command that only certain users can execute. It sounds like the only place you're enforcing this is at the UI level (by disabling the corresponding button, for example). That being the case, you're right - I could easily use Snoop to enable the button and execute the command. But you should be enforcing the security constraints on your server, or perhaps in your command execution logic if you have no server. Basically, security should be implemented as close to the thing you're trying to protect as possible. Security at the UI level is merely for convenience of the user.

HTH,
Kent

Kent Boogaart  2010-10-20 21:19:16
Kent, thank you for your response. I agree with you, security should not be implemented at the UI level. On my project we use commands and we have logic in CanExecute that will disable buttons for certain users (and they can't be reenabled using snoop), as well as server safeguards that prevent users from being able doing certain things. However we have other applications that don't use commands and buttons are just being hidden, so they can be easily "snooped".
chiefanov  2010-10-21 13:41:09

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security