Security :: How To Prevent ASMX (web Service) Replay Attacks

Jan 20, 2011

I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?

View 1 Replies


Similar Messages:

Preventing Cookie Replay Attacks In MVC

Jan 22, 2010

This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.

Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?

I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.

View 2 Replies

Replay Attacks For HTTPS Requests?

May 5, 2010

Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.

What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?

No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.

View 6 Replies

Security :: Improve Security Vulnerabilities To Prevent Future Attacks?

Aug 17, 2010

I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.

View 11 Replies

WCF / ASMX :: Prevent XML Web Service / SOAP From Enclosing Returned Data In CData[]?

Nov 18, 2010

I'm maintaining a legacy XML web service system (Framework 2.0), and is trying to return an XML fragment as part of a SOAP response. Problem is: SOAP will auto-enclose the XML fragment in <[CData[]]> tag, and I want to avoid this.

In short, SOAP Response gave me this:

<MessageContent xmlns=""><![CDATA[<DataSourceResponse>blah..blah..blah..</DataSourceResponse>]]></MessageContent>

But what I want in the SOAP response is this (without the CData enclosure):

<MessageContent xmlns=""><DataSourceResponse>blah..blah..blah..</DataSourceResponse></MessageContent>

View 5 Replies

WCF / ASMX :: Web Service Security Using X509 Certificate

Nov 17, 2010

Am facing problem while consuming a java web service using WCF. below is the web.config and aspx.cs file details

Requirement

Service request and response will be encrypted with certificate. when i run this below code am getting the error "The private key is not present in the X.509 certificate."

<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="TestClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My"
findValue="certificatename" x509FindType="FindByIssuerName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="TestHttpBinding" maxReceivedMessageSize="1048576" maxBufferSize="1048576" transferMode="Buffered">
<security mode="TransportWithMessageCredential">
<!--<transport clientCredentialType="Certificate"/>-->
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="TestHttpPort" address="https://webserviceurl/webservice"
binding="basicHttpBinding" bindingConfiguration="TestHttpBinding"
behaviorConfiguration="TestClientCertificate"
contract="ServiceReference1.webService1">
</endpoint>
</client>
</system.serviceModel>

in page
protected void Page_Load(object sender, EventArgs e)
{
WebServiceClient abc = new WebServiceClient();
BindingElementCollection elements = abc.Endpoint.Binding.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = true;
abc.Endpoint.Binding = new CustomBinding(elements);
WebServiceClientResponse xyz = abc.WebMethod("", "");
}
private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="TestClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My"
findValue="partnerservices" x509FindType="FindByIssuerName"/>
</clientCredentials>
<!--<serviceDebug includeExceptionDetailInFaults="true"/>-->
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="TestHttpBinding" maxReceivedMessageSize="1048576" maxBufferSize="1048576" transferMode="Buffered">
<security mode="TransportWithMessageCredential">
<!--<transport clientCredentialType="Certificate"/>-->
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="TestHttpPort" address="https://webservicespprd.biworldwide.com/partnerservices/services/v1/AccountWebService.biws"
binding="basicHttpBinding" bindingConfiguration="TestHttpBinding"
behaviorConfiguration="TestClientCertificate"
contract="ServiceReference1.AccountWebService">
<!--<identity>
<certificate encodedValue="MIIB5zCCAVCgAwIBAgIQlerVslZ+4p1Of3evhNc3TDANBgkqhkiG9w0BAQQFADAP
MQ0wCwYDVQQDEwRTR0JJMB4XDTEwMTExNjA5MjYyOVoXDTM5MTIzMTIzNTk1OVow
DzENMAsGA1UEAxMEU0dCSTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5mYW
n4Qp/8uosJ56fXLqygOkTDuYTTX0KECRce7fkeCFH8SpqQeCltNMjFgNRzr+C4rk
6A7GFe6gMiVyogqYgQn/QyZGT5iTXJ4khkAYui/gLX4Cga3tBCoVckja/93bCUOS
G4rS7W86kgG2hV+BfceqmlRISnlaLWxN/Ys6TAsCAwEAAaNEMEIwQAYDVR0BBDkw
N4AQ7veQWUUKR17/SJxFCEHu56ERMA8xDTALBgNVBAMTBFNHQkmCEJXq1bJWfuKd
Tn93r4TXN0wwDQYJKoZIhvcNAQEEBQADgYEAPsTiaYcghQCtBRH8FupLZIzliSHx
h3rsr6mKQT68rA+I9qjs/lsPaN2ebajDb3xzJRmjlrz2+9Gjc9LUGDaHEgxsPHab
Dh/IOgkqyjVAJHufjroKFfkzTJwwB4/uWU2vOKPpqVXfLqRXJ8du25MI7iWcHVfg
oYS1eESNBuPCErQ="/>
</identity>-->
</endpoint>
</client>
</system.serviceModel>

View 7 Replies

WCF / ASMX :: Creating Web Service Cross Domain Security?

Feb 22, 2011

I wont to restrict my web service only for few domains.

I wont to have access to web service from using ajax and my page, and I don't want that anybody can create client to my WebService and view my web service methods.

View 4 Replies

WCF / ASMX :: Error : When Calling WCF (.SVC ) Web Service / System.Security.SecurityException?

Dec 30, 2010

I have wcf web service, I works fine on my local machine,but when I move it to live then it throws following error

System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.

View 2 Replies

How To Prevent Web Service Results From Being Cached In Web Service?

Aug 23, 2010

In my ASP.NET app, I noticed that the results of any web service calls are cached. I don't want any results to be cached, how can I stop the browser from caching the results?Update:Here's the proxy code generated by calling the web service URL appending '/js', e.g. /mywebservice.asmx/js

var MyWebService=function() {
MyWebService.initializeBase(this);
this._timeout = 0;
this._userContext = null;
this._succeeded = null;
this._failed = null;
[code]...

View 4 Replies

WCF / ASMX :: Create Web Service - How To Web Page Call Sales_Services.asmx

May 5, 2010

if i have the web application with many pages like add order page, edit order page, and delete order page actually they also interact with the Sql Server 2008 and i also create web service page call Sales_Service.asmx. i know just i need to put something like query into Web Method in Sales_Service.asmx but i have a lot of queries, i don't know which query i should put into it and how the web page call the Sales_Services.asmx

View 2 Replies

WCF / ASMX :: IIS Memory Increasing For Each Client Request In Asmx Web Service?

Nov 8, 2010

A customer reported that our asmx web service is continually increasing in memory (mem usage as well as private bytes). We are able to reproduce the problem in our lab with Windows 2003 Server SP2 (fully patched) on some of the machines. The customer is using Windows 2008.

We created a Hello World web service targeting the 2.0 framework built under VS2005 SP1 and a test client that continues to call it. The memory increases steadily - approximately 40K per client request. If the test app is paused, the memory remains the same. When it is closed, the memory drops. Explicit calling of GC.Collect does not drop the memory.

We have run the memory profiler on the service and the leak is all native memory. We have uninstalled/re-installed the Framework on one of the machines but no difference. To our knowledge all of the security and IIS settings are not modified. We have compared app pool, default web site and virtual directory properties to machines that have no problem and they are identical.

View 11 Replies

WCF / ASMX :: How To Call Asmx Web Service In A .net App From Classic Asp App Js File

Mar 17, 2011

I have a .net app developed in .net 4.0 version. And I implemented an asmx web service in this. Now I want to call one of the webservice method in another classis ASP application java script function.

View 2 Replies

WCF / ASMX :: Running A Web Service User Service / Domain Account?

Mar 28, 2011

Is it possible to run a web service as a particular user/service account in the same way a Windows service can?I have a service account used for connecting to the DB and want to run the webservice under this account as the users using the webservice won't have DB access.The way I see to do it is to include the Impersonate option in the Web.config file, but is there any better way to do this?

View 1 Replies

WCF / ASMX :: Create An Instance Of Web Service Without Adding Web Service Reference?

Mar 17, 2011

How to create an instance of web service without adding web service reference? How to identify the server address/name where the web service is hosted from C# code?

View 1 Replies

Unable To Pass User Credentials From WCF Web Service To ASMX Web Service

May 25, 2010

My WCF Client calls my WCF Service which then calls ASMX Web Service. The problem is i have configured my wcf client and wcf service to windows credentials type but when wcf service calls asmx service the user credentials (default windowsidentity) is not passed to asmx service.

In WCF Service i am able to get user identity by using : Thread.CurrentPrincipal.Identity.Name;
WCF Service - i have disabled anonymous access and enabled windows authentication. ASMX Web Service - i have disabled anonymous access and enabled windows authentication.
WCF Service Config
[Code]....

View 1 Replies

WCF / ASMX :: How To Call Web Service Hosted In Window Service And Having End Point Over Tcp

Aug 4, 2010

i have created a normal web service and i want to host it outside IIS. one idea i got is to use window service as hosting environment. i have created a web service and hosted it window service and its window service is running now.would anybody please let me know that how can i call web service hosted in window service binded over soap.tcp. here is my sample code.

[Code]....
[Code]....

View 1 Replies

WCF / ASMX :: Develop A Web Service That Handle Another Web Service's Event (C#.Net 3.5 Framework)?

May 26, 2010

I want to develop a web service that handle another web service's event. (C#.Net 3.5 framework)

View 1 Replies

WCF / ASMX :: Create Simple Web Service In VS2010, NOT WCF Service?

Aug 30, 2010

How to create simple web service in VS2010 Professional (trial version). There is no template to do this. I am not trying to create WCF service here.

View 2 Replies

WCF / ASMX :: How To Convert Existing Web Service To Framework 3.5 Service

Sep 20, 2010

I have running existing web service in framework 2.0, but i want to convert all my service to framework 3.5 WCF Service..

View 1 Replies

WCF / ASMX :: Add Service As Service Reference To VB6 Winforms Application

Feb 7, 2011

How do I add the WCF service built using VS2010 as a service reference to a Winforms app which is written in VB6?

View 1 Replies

WCF / ASMX :: "Service Error - Web Service Failure

Feb 2, 2011

I am keep getting an error that "Service Error : wbsTest failed" where wbsTest is my webservice.

The error comes up frequently enough for the user - normally reproducible within a minute or so of working with an application.

A bit of background: An user is a remote user accessing application hosted on our servers over https. He is software firewalled and his connection isn't the fastest but it is responsive enough. When errors do not present themselves, page loads are fairly quick.

View 8 Replies

VS 2010 - How To Prevent Web Service Restart

Nov 10, 2011

I've created a web service using VS 2010 and .Net 3.5, deployed on Win7. No hiccups regarding performance or functionality. However, after adding performance counters I realized that the web service is restarted every few thousand calls (which happens after a few seconds).

The application pool has already been changed to not use recycling but this behavior persists.

View 4 Replies

WCF / ASMX :: How To Access Web Service In WCF Service

May 24, 2010

I want to access simple web service inside WCF service. How can i achieve it?

View 2 Replies

WCF / ASMX :: Web Service Latency / How To Measure The latency(response Round Trip Time) For a Web Service

Jun 17, 2010

I am writing a program to measure the latency(response round trip time) for a web service. I need to have this at client side.

My initial plan is to store the time at which request is sent and then calculate the difference in time when we recieve a response from the web service. Is this the correct way to measure latency of web service. This has some overhead because of storing time and all. How can this be done?

Another option is to attach a timestamp with the SOAP request. But the server should return the timestamp. This will not be possible in case of third party web services.

View 4 Replies

AJAX :: Auto Complete - Web Service - Prevent Authentication Form From Showing?

Jul 19, 2010

I have set up the Auto complete control and the web service to populate it, this web service resides within the project that uses it, it works fine on my machine (if I had a nickel for every time I heard that from a developer...) , but when I install it on Dev, the site asks for authentication, then when I select the tab with the textbox that has the Auto Complete control, it asks me for authentication again. If I remove the Auto Complete control, it no longer asks me. The funny thing is, I can enter authentication info OR just click cancel and the web service works fine.

In the IIS site on Dev and in the Web config, I have turned off authentication (in IIS I use anonymous and in the Web.config, I set it to "none") My development machine is in a domain, for some reason beyond my control, both Dev and Prod are not in a domain; both Dev and Prod machines are Server 2008. how to prevent this authentication form from showing???

View 4 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved