473,699 Members | 2,834 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Replay Attacks in Webservice

Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 2 '06 #1
3 2461
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 2 '06 #2
I don't think WSE 2 or 3 come with built-in replay detection, other than for
the UsernameToken profile.

Another option is to cache every message ID or signature value in some data
store and, when a new message arrives, check the incoming message's
ID/signature value against the list of messages already received.

You also need to perform risk analysis on a replay attack. For instance, if
a replay attack causes your code to attempt to update a database with
duplicate data, depending on your criteria it could be rejected
automatically. Therefore, in that case, a replay is theoretically a
non-issue, except if you're worried about DoS attacks.

"Scott Seely" wrote:
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 7 '06 #3
Hi Dudgeon,

My main concern is around Idempotent scenarios. e.g. I don't want the end
user to submit payment for an order they purchased twice.

Regards,
Pancham

"J. Dudgeon" wrote:
I don't think WSE 2 or 3 come with built-in replay detection, other than for
the UsernameToken profile.

Another option is to cache every message ID or signature value in some data
store and, when a new message arrives, check the incoming message's
ID/signature value against the list of messages already received.

You also need to perform risk analysis on a replay attack. For instance, if
a replay attack causes your code to attempt to update a database with
duplicate data, depending on your criteria it could be rejected
automatically. Therefore, in that case, a replay is theoretically a
non-issue, except if you're worried about DoS attacks.

"Scott Seely" wrote:
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 8 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
768
AuthHeaderValue with Webservice
by: Davie | last post by:
I want to authorise a user of a web service by using the AuthHeaderValue for some reason I keep getting a null reference exception when I try to run the following code: It seems to work fine on a .NET Framework application, but just not on the .NET CF version. Can anyone suggest anything that might be wrong with the code? (I could post the app and webservice, but i was hoping that you might have noticed something from the supplied...
C# / C Sharp
1
2104
Error looking up webservice, in the test mode
by: Nalaka | last post by:
Hi, I am testing with Visual studio 2005, web projects. Situation: I have one solution with two web projects, created as file system projects. (I am tesing using the built in server, not IIS) First project is a webService. Second consumes the webservices by the first.
ASP.NET
2
5706
problem with webbrowser control/ webservice/ firewall client for isa server 2004
by: Miguel | last post by:
Hi, I'm developing an application in C# with Windows Forms for my company that is similar to the MSN Messenger. This application uses a webservice for registering users, etc... and as 2 webbrowser controls on it. Besides that i'm using the firewall client for isa server 2004 and it seems that the browsers aren't able to pass thru it... if i disable the firewall the browsers work fine, if i don't, the 2 browsers just stay there...
.NET Framework
5
2135
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere... Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel";
PHP
1
1917
WSE 2.0 - How could I replay the action recorded in the trace file
by: newcomer | last post by:
I have traced action in XML. Now I would like to replay that. How could I do that based on this XML trace? I am using soap:tcp between client and server. thanks,
.NET Framework
7
2018
How to mantain the state between 2 call of the same WebService?
by: Alessandro Benedetti | last post by:
Hi. I'm calling two methods of a .NET Webservice (A) from another Webservice (B). The A Webservice is made like this: public class WSA: System.Web.Services.WebService { private int X = 0;
.NET Framework
7
2921
How does the client of a webservice figure out a complex type
by: Nalaka | last post by:
Hi, I created a sinple web service that returns a dataSet. Then I created a client program that uses this web service (that returns the Dataset). My question is, how did the client figure out to create a "DataSet" as the return type from the webservice?
.NET Framework
0
2748
queue & replay keyboard messages in a win form instead of using SendKeys.Send()
by: neonspark | last post by:
I'm buidling some simple macro functionality for my app so the users can record a sequence of keyboard inputs and replay them reliably via some menu. Originally, I used: protected override bool ProcessCmdKey(ref Message msg, Keys keyData) To map "Keys" objects to their string constant, and stored them on a string Queue as they were happening. Then (after resetting the form), I simulate replaying of these actions by flushing the queued...
.NET Framework
7
2564
SQL Capture/Replay tool for db2 luw
by: Lew | last post by:
Hi, I'm looking for a tool that can capture all the sql transactions for a period of time (24 hours or so ) from our production server and replay it exactly as entered on our performance tuning server. Does anyone know of such a tool from IBM or another vendor? Thanks. Lew
DB2 Database
0
8612
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
9032
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8905
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8880
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
5869
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4373
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4625
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3053
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2008
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us