Web Services

Previous page
Table of content
Next page

Configure Web services using the <webServices> element. To establish a secure Web services configuration:

  • Disable Web services if they are not required

  • Disable unused protocols

  • Disable the automatic generation of WSDL

Disable Web Services if They Are Not Required

If you do not use Web services, disable them by mapping requests for the .asmx (Web service) file extension to HttpForbiddenHandler in Machine.config as follows : 

 <httpHandlers>   <add verb="*" path="*.asmx" type="System.Web.HttpForbiddenHandler"/>   . . . </httpHandlers>

Disable Unused Protocols

The <protocols> element defines the protocols that Web services support. By default, HttpPost and HttpGet are disabled on .NET Framework version 1.1 as follows: 

 <webServices>   <protocols>     <add name="HttpSoap1.2"/>     <add name="HttpSoap"/>     <!-- <add name="HttpPost"/> -->     <!-- <add name="HttpGet"/> -->     <add name="HttpPostLocalhost"/>     <add name="Documentation"/>   </protocols> </webServices>

By disabling unnecessary protocols, including HttpPost and HttpGet , you reduce the attack surface area. For example, it is possible for an external attacker to embed a malicious link in an e-mail to execute an internal Web service using the end user 's security context. Disabling the HttpGet protocol is an effective countermeasure. In many ways, this is similar to an XSS attack. A variation of this attack uses an <img src="..." /> tag on a publicly accessible Web page to embed a GET call to an intranet Web service. Both attacks can allow an outsider to invoke an internal Web service. Disabling protocols mitigates the risk.

If your production server provides publicly discoverable Web services, you must enable HttpGet and HttpPost to allow the service to be discovered over these protocols.

Disable the Automatic Generation of WSDL

The Documentation protocol is used to dynamically generate Web Service Description Language (WSDL). WSDL describes the characteristics of a Web service, such as its method signatures and supported protocols. Clients use this information to construct appropriately formatted messages. By default, Web services publicly expose WSDL, which makes it available to anyone who can connect to the Web server over the Internet.

At times, you might want to distribute the WSDL files manually to your partners and prevent public access. With this approach, the development team can provide individual .wsdl files for each Web service to the operations team. The operations team can then distribute them to specified partners who want to use the Web services.

To disable the Documentation protocol, comment it out in Machine.config as follows: 

 <webServices>   <protocols>     <add name="HttpSoap"/>     <!-- <add name="Documentation"/> -->   </protocols> </webServices>


Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Software Configuration Management
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
The Complete Cisco VPN Configuration Guide
Cisco Voice Gateways and Gatekeepers
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy