Web Services

The goal for this phase of the review is to identify vulnerabilities in the configuration of your Web services. For further background information about the issues raised by the review questions in this section, see Chapter 17, "Securing Your Application Server," and Chapter 19, "Securing Your ASP.NET Applications and Web Services."

Use the following questions to help review the security configuration of your Web service:

• Have you disabled the Documentation protocol?

  If you do not want to expose your Web services endpoints, then you can remove the Documentation protocol from the <protocols> element in Machine.config and manually distribute the .Web Services Description Language (WSDL) file to specific Web service consumers.

• Have you disabled the HTTP Get and Post protocols?

  By disabling (commenting) HttpGet and HttpPost protocols from <protocols> element in Machine.config file, you help to reduce the attack profile for your Web services.

• Do you restrict access to WSDL?

  If you store the generated .WSDL files on the Web server to distribute them to the consumers, make sure that the files are protected by an appropriate ACL. This prevents a malicious user from updating or replacing the WSDL so that it points to endpoints that differ from the intended URL.

• Do you pass sensitive data in SOAP requests or responses?

  If your Web service handles sensitive data, how do you protect the data over the network and address the network eavesdropping threat? Do you use SSL or IPSec encrypted channels, or do you encrypt parts of the message by using XML encryption?

• How do you authenticate callers ?

  If your Web service exposes restricted operations or data, it needs to authenticate callers to support authorization. Review how the Web service authenticates its clients .

• Do you pass credentials in SOAP headers?

  If you pass credentials in SOAP headers, are they passed in plaintext? If they are, make sure an encrypted channel is used.