473,322 Members | 1,690 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Webservice Security

bob
Hi,
Please forgive the Off-topic
We have a hand help app that consumes a web service.
Currently this is internal to the organisation.
We now want to expose this externally so the Handhelds can consume it
anywhere.
The IT staff are looking to us for answers on the security risk of
this.
My uninformed opinion is that the worst case is someone could discern
the protocol and pretend to be a Handheld and consume the webservice.
They wouldn't be able to hack in and destroy the corporate database
etc.
If anyone has some real world experience and lnowledge on this and
could comment it would be appreciated.
thanks
Bob
Aug 4 '08 #1
7 1249
bob wrote:
We have a hand help app that consumes a web service.
Currently this is internal to the organisation.
We now want to expose this externally so the Handhelds can consume it
anywhere.
The IT staff are looking to us for answers on the security risk of
this.
My uninformed opinion is that the worst case is someone could discern
the protocol and pretend to be a Handheld and consume the webservice.
They wouldn't be able to hack in and destroy the corporate database
etc.
If anyone has some real world experience and lnowledge on this and
could comment it would be appreciated.
Sometimes it is good to be paranoid.

I will suggest:

- require authentications (either login or client
certificate)
- HTTPS only
- Network with DMZ like:
---firewal---server with no data---firwall---server with data
- strict validation of everything in the web service itself
- appropriate logging and monitoring

Arne
Aug 4 '08 #2

"bob" <st**************@cutthis.adriley.co.nzwrote in message
news:mq********************************@4ax.com...
Hi,
Please forgive the Off-topic
We have a hand help app that consumes a web service.
Currently this is internal to the organisation.
We now want to expose this externally so the Handhelds can consume it
anywhere.
The IT staff are looking to us for answers on the security risk of
this.
My uninformed opinion is that the worst case is someone could discern
the protocol and pretend to be a Handheld and consume the webservice.
They wouldn't be able to hack in and destroy the corporate database
etc.
If anyone has some real world experience and lnowledge on this and
could comment it would be appreciated.
thanks
Bob
The Web service should be using HTTPS with authentication and certificate.

I don't know about the hand held and its ability to use SOAP authentication
of User-ID and PSW it must present to the Web service that uses SOAP
authentication.

Aug 4 '08 #3
Oh; on the subject of strong passwords: physical tokens (such as RSA's
SecurID) are a very good idea; this means that not even *you* know
your password (or not all of it, at least). So even if you use a
device that has a key-logger installed, they can't use your password
later. However, this doesn't always play nicely with web-service
logins - so our client apps use a regular html login page (with
SecurID); when the user has successfully logged in (over SSL), our
client app detects a generated token on the page and uses that token
(time-limited, crypto-hashed) to talk to the web-service.

And if somebody drops their SecurID; fine... any passer by isn't going
to know the other half of the credentials (but cancel the token
anyway!). This leaves malicious misuse, and things like combined theft
(for the SecurID) and key logging / threat (to get the username/
password). And, well, then things get hard to guard against... I'll
let you decide (based on your industry) what to do there... thankfully
it isn't something I have to worry about in my line, but if you aer
working in high-finance / security / military, well... I'm sure they'd
have their own guidelines.

Marc
Aug 4 '08 #4
bob


Hi All,
Thank you for your replies,
It seems there is a case to answer.
Pardon me if my questions seem naive but I spend my time doing back
room design.

The Web Service only exposes one function which takes in a specialized
XML document and spits back an output string once the back room app
has parsed the doc and made its decisions.

There is no gain or loss if the Web service function is fooled by a
black hat. Its a bit like a remote stock take function except there is
not even any Jelly Beans to make fraud worthwhile.

It doesn't even really matter if the black hat trashes this apps
database, mildly inconvenient but thats all.

The only real concern I have got is:
Can a single function web service such as this act as a portal for
further network malevolence?

The machine housing this apps database would be on the corporate
network and further distruction would be serious.

From your replies so far I am thinking;

1) https
2) Maybe the backend app and database live in the DMZ?

Thanks again,
Bob
Aug 4 '08 #5
2) Maybe the backend app and database live in the DMZ?

If the db is throwaway and doesn't have anything priveleged, then
maybe... I try to protect mine a bit more, though.

Re acting as a portal : as long as you don't do anything daft like
open yourself to SQL injection attacks, or execute random shell
commands for the client, or run as sysadmin (or an even /remotely/
priveleged account), then you should be pretty safe.

Marc

Aug 4 '08 #6
bob

Hi Marc,
Thanks again.
regards
Bob
On Mon, 4 Aug 2008 01:52:45 -0700 (PDT), Marc Gravell
<ma**********@gmail.comwrote:
>2) Maybe the backend app and database live in the DMZ?

If the db is throwaway and doesn't have anything priveleged, then
maybe... I try to protect mine a bit more, though.

Re acting as a portal : as long as you don't do anything daft like
open yourself to SQL injection attacks, or execute random shell
commands for the client, or run as sysadmin (or an even /remotely/
priveleged account), then you should be pretty safe.

Marc
Aug 4 '08 #7
bob wrote:
The Web Service only exposes one function which takes in a specialized
XML document and spits back an output string once the back room app
has parsed the doc and made its decisions.

There is no gain or loss if the Web service function is fooled by a
black hat. Its a bit like a remote stock take function except there is
not even any Jelly Beans to make fraud worthwhile.

It doesn't even really matter if the black hat trashes this apps
database, mildly inconvenient but thats all.

The only real concern I have got is:
Can a single function web service such as this act as a portal for
further network malevolence?
Yes, which is why it is common practice to put a box in a DMZ
with a firewall on both sides.
The machine housing this apps database would be on the corporate
network and further distruction would be serious.

From your replies so far I am thinking;

1) https
2) Maybe the backend app and database live in the DMZ?
I am a bit skeptical about having the database out in the DMZ.

But if it is readonly data and they are stored on a CD disk, then
maybe ...

:-)

Arne
Aug 4 '08 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Davie | last post by:
I want to authorise a user of a web service by using the AuthHeaderValue for some reason I keep getting a null reference exception when I try to run the following code: It seems to work fine on a...
4
by: Rajesh.V | last post by:
I looked up the following.... 1. mshtml activex object which letts us do http request thru js. But the browser security has to be adjusted so not possible. 2. Htc behaviours enable calling...
13
by: ALI-R | last post by:
I know how to authenticate to a webservice using either of these ways(Assuming that rService represents the webservice): 1) rService.Credentials = new...
7
by: Nalaka | last post by:
Hi, I created a sinple web service that returns a dataSet. Then I created a client program that uses this web service (that returns the Dataset). My question is, how did the client figure...
5
by: AliR | last post by:
Hi Everyone, I have a Visual C++ MFC program, and I am trying to use a webservice written in C#. When I add the webservice to my project using Add Web Reference the sproxy compiler complains...
5
by: | last post by:
Hi, How long do webservice objects live for? In particular, if i have static variables filled with data from a static constructor in a webservice, how long will that data persist? thxs
2
by: KaNos | last post by:
Hello world, I've made a webservice (c# v2) to install in a server IIS 6 on a Windows 2000 last SP. We can use the webservice in local, throw the pages wich present the methods, with a windows...
0
by: Daniel Knöpfel | last post by:
Hi We have developed a webservice that was accessed by a fat windows client. A security requirement was that the client authenticates itself by using by providing a client certificate. The...
10
by: Anton | last post by:
Hi, when accessing a secured 3rd party webservice i'm getting a 401 HTTP Statuscode (unauthorized). When entering the url in a browser and entering the username and password manually, the wsdl is...
5
by: VictorG | last post by:
Hello, I am trying to secure a webservice using WSE 3.0 and the turnkey usernameForCertificateSecurity profile. I am passing a valid username token, and on the server I have overridden the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.