473,385 Members | 1,370 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > replay attacks in webservice

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Replay Attacks in Webservice

Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 2 '06 #1
3 2444
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 2 '06 #2
I don't think WSE 2 or 3 come with built-in replay detection, other than for
the UsernameToken profile.

Another option is to cache every message ID or signature value in some data
store and, when a new message arrives, check the incoming message's
ID/signature value against the list of messages already received.

You also need to perform risk analysis on a replay attack. For instance, if
a replay attack causes your code to attempt to update a database with
duplicate data, depending on your criteria it could be rejected
automatically. Therefore, in that case, a replay is theoretically a
non-issue, except if you're worried about DoS attacks.

"Scott Seely" wrote:
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 7 '06 #3
Hi Dudgeon,

My main concern is around Idempotent scenarios. e.g. I don't want the end
user to submit payment for an order they purchased twice.

Regards,
Pancham

"J. Dudgeon" wrote:
I don't think WSE 2 or 3 come with built-in replay detection, other than for
the UsernameToken profile.

Another option is to cache every message ID or signature value in some data
store and, when a new message arrives, check the incoming message's
ID/signature value against the list of messages already received.

You also need to perform risk analysis on a replay attack. For instance, if
a replay attack causes your code to attempt to update a database with
duplicate data, depending on your criteria it could be rejected
automatically. Therefore, in that case, a replay is theoretically a
non-issue, except if you're worried about DoS attacks.

"Scott Seely" wrote:
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.

"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?
Nov 8 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
AuthHeaderValue with Webservice
by: Davie | last post by:
I want to authorise a user of a web service by using the AuthHeaderValue for some reason I keep getting a null reference exception when I try to run the following code: It seems to work fine on a...
C# / C Sharp
1
Error looking up webservice, in the test mode
by: Nalaka | last post by:
Hi, I am testing with Visual studio 2005, web projects. Situation: I have one solution with two web projects, created as file system projects. (I am tesing using the built in server, not IIS)...
ASP.NET
2
problem with webbrowser control/ webservice/ firewall client for isa server 2004
by: Miguel | last post by:
Hi, I'm developing an application in C# with Windows Forms for my company that is similar to the MSN Messenger. This application uses a webservice for registering users, etc... and as 2...
.NET Framework
5
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already...
PHP
1
WSE 2.0 - How could I replay the action recorded in the trace file
by: newcomer | last post by:
I have traced action in XML. Now I would like to replay that. How could I do that based on this XML trace? I am using soap:tcp between client and server. thanks,
.NET Framework
7
How to mantain the state between 2 call of the same WebService?
by: Alessandro Benedetti | last post by:
Hi. I'm calling two methods of a .NET Webservice (A) from another Webservice (B). The A Webservice is made like this: public class WSA: System.Web.Services.WebService { private int X = 0;
.NET Framework
7
How does the client of a webservice figure out a complex type
by: Nalaka | last post by:
Hi, I created a sinple web service that returns a dataSet. Then I created a client program that uses this web service (that returns the Dataset). My question is, how did the client figure...
.NET Framework
0
queue & replay keyboard messages in a win form instead of using SendKeys.Send()
by: neonspark | last post by:
I'm buidling some simple macro functionality for my app so the users can record a sequence of keyboard inputs and replay them reliably via some menu. Originally, I used: protected override bool...
.NET Framework
7
SQL Capture/Replay tool for db2 luw
by: Lew | last post by:
Hi, I'm looking for a tool that can capture all the sql transactions for a period of time (24 hours or so ) from our production server and replay it exactly as entered on our performance tuning...
DB2 Database
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!