Security :: How To Prevent ASMX (web Service) Replay Attacks
Jan 20, 2011
I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?
View 1 Replies
Similar Messages:
Jan 22, 2010
This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.
Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?
I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.
View 2 Replies
May 5, 2010
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.
What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?
No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.
View 6 Replies
Aug 17, 2010
I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 Replies
Nov 18, 2010
I'm maintaining a legacy XML web service system (Framework 2.0), and is trying to return an XML fragment as part of a SOAP response. Problem is: SOAP will auto-enclose the XML fragment in <[CData[]]> tag, and I want to avoid this.
In short, SOAP Response gave me this:
<MessageContent xmlns=""><![CDATA[<DataSourceResponse>blah..blah..blah..</DataSourceResponse>]]></MessageContent>
But what I want in the SOAP response is this (without the CData enclosure):
<MessageContent xmlns=""><DataSourceResponse>blah..blah..blah..</DataSourceResponse></MessageContent>
View 5 Replies
Nov 17, 2010
Am facing problem while consuming a java web service using WCF. below is the web.config and aspx.cs file details
Requirement
Service request and response will be encrypted with certificate. when i run this below code am getting the error "The private key is not present in the X.509 certificate."
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="TestClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My"
findValue="certificatename" x509FindType="FindByIssuerName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="TestHttpBinding" maxReceivedMessageSize="1048576" maxBufferSize="1048576" transferMode="Buffered">
<security mode="TransportWithMessageCredential">
<!--<transport clientCredentialType="Certificate"/>-->
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="TestHttpPort" address="https://webserviceurl/webservice"
binding="basicHttpBinding" bindingConfiguration="TestHttpBinding"
behaviorConfiguration="TestClientCertificate"
contract="ServiceReference1.webService1">
</endpoint>
</client>
</system.serviceModel>
in page
protected void Page_Load(object sender, EventArgs e)
{
WebServiceClient abc = new WebServiceClient();
BindingElementCollection elements = abc.Endpoint.Binding.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = true;
abc.Endpoint.Binding = new CustomBinding(elements);
WebServiceClientResponse xyz = abc.WebMethod("", "");
}
private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="TestClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My"
findValue="partnerservices" x509FindType="FindByIssuerName"/>
</clientCredentials>
<!--<serviceDebug includeExceptionDetailInFaults="true"/>-->
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="TestHttpBinding" maxReceivedMessageSize="1048576" maxBufferSize="1048576" transferMode="Buffered">
<security mode="TransportWithMessageCredential">
<!--<transport clientCredentialType="Certificate"/>-->
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="TestHttpPort" address="https://webservicespprd.biworldwide.com/partnerservices/services/v1/AccountWebService.biws"
binding="basicHttpBinding" bindingConfiguration="TestHttpBinding"
behaviorConfiguration="TestClientCertificate"
contract="ServiceReference1.AccountWebService">
<!--<identity>
<certificate encodedValue="MIIB5zCCAVCgAwIBAgIQlerVslZ+4p1Of3evhNc3TDANBgkqhkiG9w0BAQQFADAP
MQ0wCwYDVQQDEwRTR0JJMB4XDTEwMTExNjA5MjYyOVoXDTM5MTIzMTIzNTk1OVow
DzENMAsGA1UEAxMEU0dCSTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5mYW
n4Qp/8uosJ56fXLqygOkTDuYTTX0KECRce7fkeCFH8SpqQeCltNMjFgNRzr+C4rk
6A7GFe6gMiVyogqYgQn/QyZGT5iTXJ4khkAYui/gLX4Cga3tBCoVckja/93bCUOS
G4rS7W86kgG2hV+BfceqmlRISnlaLWxN/Ys6TAsCAwEAAaNEMEIwQAYDVR0BBDkw
N4AQ7veQWUUKR17/SJxFCEHu56ERMA8xDTALBgNVBAMTBFNHQkmCEJXq1bJWfuKd
Tn93r4TXN0wwDQYJKoZIhvcNAQEEBQADgYEAPsTiaYcghQCtBRH8FupLZIzliSHx
h3rsr6mKQT68rA+I9qjs/lsPaN2ebajDb3xzJRmjlrz2+9Gjc9LUGDaHEgxsPHab
Dh/IOgkqyjVAJHufjroKFfkzTJwwB4/uWU2vOKPpqVXfLqRXJ8du25MI7iWcHVfg
oYS1eESNBuPCErQ="/>
</identity>-->
</endpoint>
</client>
</system.serviceModel>
View 7 Replies
Feb 22, 2011
I wont to restrict my web service only for few domains.
I wont to have access to web service from using ajax and my page, and I don't want that anybody can create client to my WebService and view my web service methods.
View 4 Replies
Dec 30, 2010
I have wcf web service, I works fine on my local machine,but when I move it to live then it throws following error
System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.
View 2 Replies
Aug 23, 2010
In my ASP.NET app, I noticed that the results of any web service calls are cached. I don't want any results to be cached, how can I stop the browser from caching the results?Update:Here's the proxy code generated by calling the web service URL appending '/js', e.g. /mywebservice.asmx/js
var MyWebService=function() {
MyWebService.initializeBase(this);
this._timeout = 0;
this._userContext = null;
this._succeeded = null;
this._failed = null;
[code]...
View 4 Replies
May 5, 2010
if i have the web application with many pages like add order page, edit order page, and delete order page actually they also interact with the Sql Server 2008 and i also create web service page call Sales_Service.asmx. i know just i need to put something like query into Web Method in Sales_Service.asmx but i have a lot of queries, i don't know which query i should put into it and how the web page call the Sales_Services.asmx
View 2 Replies
Nov 8, 2010
A customer reported that our asmx web service is continually increasing in memory (mem usage as well as private bytes). We are able to reproduce the problem in our lab with Windows 2003 Server SP2 (fully patched) on some of the machines. The customer is using Windows 2008.
We created a Hello World web service targeting the 2.0 framework built under VS2005 SP1 and a test client that continues to call it. The memory increases steadily - approximately 40K per client request. If the test app is paused, the memory remains the same. When it is closed, the memory drops. Explicit calling of GC.Collect does not drop the memory.
We have run the memory profiler on the service and the leak is all native memory. We have uninstalled/re-installed the Framework on one of the machines but no difference. To our knowledge all of the security and IIS settings are not modified. We have compared app pool, default web site and virtual directory properties to machines that have no problem and they are identical.
View 11 Replies
Mar 17, 2011
I have a .net app developed in .net 4.0 version. And I implemented an asmx web service in this. Now I want to call one of the webservice method in another classis ASP application java script function.
View 2 Replies
Mar 28, 2011
Is it possible to run a web service as a particular user/service account in the same way a Windows service can?I have a service account used for connecting to the DB and want to run the webservice under this account as the users using the webservice won't have DB access.The way I see to do it is to include the Impersonate option in the Web.config file, but is there any better way to do this?
View 1 Replies
Mar 17, 2011
How to create an instance of web service without adding web service reference? How to identify the server address/name where the web service is hosted from C# code?
View 1 Replies
May 25, 2010
My WCF Client calls my WCF Service which then calls ASMX Web Service. The problem is i have configured my wcf client and wcf service to windows credentials type but when wcf service calls asmx service the user credentials (default windowsidentity) is not passed to asmx service.
In WCF Service i am able to get user identity by using : Thread.CurrentPrincipal.Identity.Name;
WCF Service - i have disabled anonymous access and enabled windows authentication. ASMX Web Service - i have disabled anonymous access and enabled windows authentication.
WCF Service Config
[Code]....
View 1 Replies
Aug 4, 2010
i have created a normal web service and i want to host it outside IIS. one idea i got is to use window service as hosting environment. i have created a web service and hosted it window service and its window service is running now.would anybody please let me know that how can i call web service hosted in window service binded over soap.tcp. here is my sample code.
[Code]....
[Code]....
View 1 Replies
May 26, 2010
I want to develop a web service that handle another web service's event. (C#.Net 3.5 framework)
View 1 Replies
Aug 30, 2010
How to create simple web service in VS2010 Professional (trial version). There is no template to do this. I am not trying to create WCF service here.
View 2 Replies
Sep 20, 2010
I have running existing web service in framework 2.0, but i want to convert all my service to framework 3.5 WCF Service..
View 1 Replies
Feb 7, 2011
How do I add the WCF service built using VS2010 as a service reference to a Winforms app which is written in VB6?
View 1 Replies
Feb 2, 2011
I am keep getting an error that "Service Error : wbsTest failed" where wbsTest is my webservice.
The error comes up frequently enough for the user - normally reproducible within a minute or so of working with an application.
A bit of background: An user is a remote user accessing application hosted on our servers over https. He is software firewalled and his connection isn't the fastest but it is responsive enough. When errors do not present themselves, page loads are fairly quick.
View 8 Replies
Nov 10, 2011
I've created a web service using VS 2010 and .Net 3.5, deployed on Win7. No hiccups regarding performance or functionality. However, after adding performance counters I realized that the web service is restarted every few thousand calls (which happens after a few seconds).
The application pool has already been changed to not use recycling but this behavior persists.
View 4 Replies
May 24, 2010
I want to access simple web service inside WCF service. How can i achieve it?
View 2 Replies
Jun 17, 2010
I am writing a program to measure the latency(response round trip time) for a web service. I need to have this at client side.
My initial plan is to store the time at which request is sent and then calculate the difference in time when we recieve a response from the web service. Is this the correct way to measure latency of web service. This has some overhead because of storing time and all. How can this be done?
Another option is to attach a timestamp with the SOAP request. But the server should return the timestamp. This will not be possible in case of third party web services.
View 4 Replies
Jul 19, 2010
I have set up the Auto complete control and the web service to populate it, this web service resides within the project that uses it, it works fine on my machine (if I had a nickel for every time I heard that from a developer...) , but when I install it on Dev, the site asks for authentication, then when I select the tab with the textbox that has the Auto Complete control, it asks me for authentication again. If I remove the Auto Complete control, it no longer asks me. The funny thing is, I can enter authentication info OR just click cancel and the web service works fine.
In the IIS site on Dev and in the Web config, I have turned off authentication (in IIS I use anonymous and in the Web.config, I set it to "none") My development machine is in a domain, for some reason beyond my control, both Dev and Prod are not in a domain; both Dev and Prod machines are Server 2008. how to prevent this authentication form from showing???
View 4 Replies