Storing PayPal credentials in a web application(asp.net) on a shared host

Question

I have created a web application that is hosted on Godaddy on a shared server. I plan on using paypal for my transactions, which creates a problem.

At this point the credentials(paypal email and password) are hardcoded, which is as far as I understand the worst solution. The only other option I am aware of is in the web.config file, which again doesn't seem particularly safe.

Can you point me to a direction that would provide the desired security and work in a shared host environment?

Regards Alexandros

score 3 · Answer 1 · edited Dec 20 '11 at 09:39

Your choices are:

API password + API signature. You'll have to store it somewhere as plaintext or something decryptable, maybe it be file or database.
API password + API certificate. You'll have to check to see if the hosting service provider lets its users establish SSL connections to other servers (i.e. CURLOPT_SSLCERT in PHP). If you can, use it.

However, regardless of the way you choose, if a hacker can break into your account, he/she will be able retrieve your password, or your cert file.

p.s. please note that the terms "API password", " API signature", and "API certificate" are those they refer to in PayPal API references and developer manuals.

Fixed wording and removed 'signature' from the 2nd option, as an API certificate doesn't have an API signature and vice versa. — Robert, Dec 20 '11 at 09:40

Mitchel Sellers · Answer 2 · 2011-12-21T18:07:51.070

2

On a shared host, the easiest method at least at first glance would be to encrypt the password and store it in your database.

Implementation could be done with whatever your encryption mechanism is. Then from a key perspective, you have a number of options for storing it, with varying levels of security, really depends on how "paranoid" you are with this.

Simply store the encryption key in the web.config as an App Setting (Least Secure, but access to the web.config is limited and other sensitive stuff is there already, such as DB Passwords)
Create a custom configuration section for the web.confg, then encrypt and store the values there. (This is more secure, as it gets your key to not be readable via plain text)
Store the encryption key in a database table, and limit that table to be queried only be a single user acccount. (Depends on your thoughts, this might be the most portable solution though..)

edited Dec 21 '11 at 18:07

answered Sep 03 '09 at 14:34

Mitchel Sellers

62,228
14
110
173

How do you store the key in a way that allows the application to use the password without leaving the key in an insecure position? – Kyeotic Dec 20 '11 at 22:09
There are a few options for this....you could use the key that is there in the web.config (MachineKey), or you could create your own key, and put it in an encrypted web.config option. – Mitchel Sellers Dec 21 '11 at 18:04
@Tyrsius - I added some detail as well with the options just to give you some thoughts. – Mitchel Sellers Dec 21 '11 at 18:08

score 0 · Answer 3 · answered Sep 03 '09 at 15:40

0

You could store them in the web.config, and then encrypt the web.config file?

Or at very least, encrypt them individually in the web.config?

answered Sep 03 '09 at 15:40

Paul

9,409
13
64
113

score 0 · Answer 4 · answered Sep 03 '09 at 17:07

0

I think you have following options.

Encrypt web.config file
Store in database using encryption
Create a Class Library and create a class which will hold this information. Now on shared environment, it will be just added as dll inside Bin folder.

answered Sep 03 '09 at 17:07

Nirlep

566
1
5
13

1. i know it can be done. i am not sure it can be done in shared hosts. 2 and 3. go under the decompile problem. am i being paranoid? – Sep 04 '09 at 06:51
One of my favorite frases: What a man do, other man can undo. No mather what you do. If someone puts an effort to it, he can undo it. And now that you are more paranoid that before, stay calm and think: Is my information so appealing for crackers attention? If not, just encrypting the information in the web.config is enough. – Ricardo Souza Dec 26 '11 at 16:47

score 0 · Answer 5 · edited May 23 '17 at 12:22

Since you don't have access to the server you will need to run the command to encrypt sections of your web.config through code. You can do this by creating a simple web page and run it on page load or on a button click. Below is the code block you will need to run, only slightly modified from the source I took from Microsoft ( http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx ). Though... this code didn't actually work for me. Not that the code isn't correct, but because my account doesn't have permission to the Rsa key store, your results may vary. If this doesn't work then read on for option 2.

    ' Get the current configuration file.'
    Dim config As System.Configuration.Configuration = Web.Configuration.WebConfigurationManager.OpenWebConfiguration(Nothing)

    ' Get the section.'
    Dim section As AppSettingsSection = CType(config.GetSection("appSettings"), AppSettingsSection)

    ' Protect (encrypt) the section.'
    section.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider")

    ' Save the encrypted section.'
    section.SectionInformation.ForceSave = True
    config.Save(ConfigurationSaveMode.Full)

Credit: I found that link with the code via Need Encrypted connection string and stmp information in the web.config.

Option 2: For security reasons you still want to use the machine key so if someone manages to download your web.config file they won't be able to decrypt your settings. One way to do this is to encrypt all your settings using the machine key by hand, and decrypt them each time you need to use them, or you could store them in the cache on each app startup.

To encrypted and decrypt an app key value you could use code like this:

    Dim encryptedString As String = Convert.ToBase64String(ProtectedData.Protect(System.Text.UTF8Encoding.UTF32.GetBytes("Testing"), Nothing, DataProtectionScope.LocalMachine))
    Dim decryptedString As String = System.Text.UTF8Encoding.UTF32.GetString(ProtectedData.Unprotect(Convert.FromBase64String(encryptedString), Nothing, DataProtectionScope.LocalMachine))

    Response.Write(encryptedString + " - " + decryptedString)

I was not able to get the first method to work (translating code to c#), ran into different errors with a few different approaches. The second method looks like it relies on the hosting machine not changing. With a shared host, isn't this an unsafe assumption? — Kyeotic, Dec 26 '11 at 17:06
You're the only new answer in a week, looks like you get the bounty by default. — Kyeotic, Dec 26 '11 at 17:17
@Tyrsius - A little late, but you don't have to give a bounty if no one meets your expectations. Back to the question: If you are making the assumption that the hosting machine can change then you'll need to store an encryption key in an accessible key, like as another appSetting. I was trying to avoid this because it means if somehow someone manages to download your web.config they would be able to use the key to decrypt your PayPal information. Why don't you contact your web host and ask them if you will be changing hosts or not; maybe it's nothing you even need to worry about. — Peter, Dec 27 '11 at 16:26

Storing PayPal credentials in a web application(asp.net) on a shared host

5 Answers5