Web Services


ASP.NET Web services share many of the same features as ASP.NET Web applications. Review your Web service against the questions in the "ASP.NET Pages and Controls" section before you address the following questions that are specific to Web services. For more information about the issues raised in this section, see Chapter 12, "Building Secure Web Services."

  • Do you expose restricted operations or data?

  • How do you authorize callers ?

  • Do you constrain privileged operations?

  • Do you use custom authentication?

  • Do you validate all input?

  • Do you validate SOAP Headers?

Do You Expose Restricted Operations or Data?

If your Web service exposes restricted operations or data, check that the service authenticates callers. You can use platform authentication mechanisms such as NTLM, Kerberos, Basic authentication or Client X.509 Certificates, or you can pass authentication tokens in SOAP headers.

If you pass authentication tokens, you can use the Web Services Enhancements (WSE) to use SOAP headers in a way that conforms to the emerging WS-Security standard.

How Do You Authorize Callers?

Choose appropriate authorization schemes provided by either .NET Framework (such as URL authorization, File authorization, .NET Roles) or platform options such as File ACLs.

Do You Constrain Privileged Operations?

The trust level of the code access security policy determines the type of resource the Web service can access. Check the <trust> element configuration in Machine.config or Web.config.

Do You Use Custom Authentication?

Use features provided by Web Service Enhancements (WSE) instead of creating your own authentication schemes.

Do You Validate All Input?

Check that all publicly exposed Web methods validate their input parameters if the input is received from sources outside the current trust boundary, before using them or passing them to a downstream component or database.

Do You Validate SOAP Headers?

If you use custom SOAP headers in your application, check that the information is not tampered or replayed. Digitally sign the header information to ensure that it has not been tampered. You can use the WSE to help sign Web service messages in a standard manner.

Check that SoapException and SoapHeaderException objects are used to handle errors gracefully and to provide minimal required information to the client. Verify that exceptions are logged appropriately for troubleshooting purposes.




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net