473,320 Members | 1,719 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

WebServices Security...

Hi there
I've my .NET 2.0 C# WebApplication which exposes some WebMethod, I pass
tablename, username, password and I get a DataSet with some data (actually
the size of the dataset is not a problem since when there are more than 200
records I get the dataset page by page, using startindex and pagesize
parameters)...

.... everything works fine but I feel not safe since if someone sniffs the
webmethod call can call it with the same password and username and retrieve
my data as well... actually I expose Insert and Update methods as well so
someone can even write on my database, knowing username and password.

What can I do ? which are the best guidelines in this scenario ?

Is there any way to pass SOAP calls and results on a secure channel? Should
I use ssl/https or is there any other way? I think ssl can make the
comunication quite slow, don't it?

Thanks, regards, Davide.
Nov 5 '06 #1
2 1083
You are very correct! Exposing such methods is far from good practice.
As you are passing usr/pwd in plain text, it makes it very easy to grap
these strings from the soap telegram.

What you should consider is to remove the user/pwd all together as they have
nothing to do with your "business logic". Autentication and authorization are
(or should be!) distinct from business logic.

Take a look at WSE 2.0/3.0 (or WCF) to see ways to sign your soap envelopes
with Kerberois tokens, usr/pwd or X509 credentials. This makes it extremely
difficult to sniff the password as none is sent along with the message. WSE
presents out-of-the-box frameworks for signature and credentials passing in a
more secure manner than the original WS implementations.

If you insist on stickign to ASMX; yes - you could make use of SSL (https)
which encrypts the communication with a shared secret (negotiated by the SSL
protocol).

--
rgds.
/Claus Konrad
MCSD.NET (C#)
"Ing. Davide Piras" wrote:
Hi there
I've my .NET 2.0 C# WebApplication which exposes some WebMethod, I pass
tablename, username, password and I get a DataSet with some data (actually
the size of the dataset is not a problem since when there are more than 200
records I get the dataset page by page, using startindex and pagesize
parameters)...

.... everything works fine but I feel not safe since if someone sniffs the
webmethod call can call it with the same password and username and retrieve
my data as well... actually I expose Insert and Update methods as well so
someone can even write on my database, knowing username and password.

What can I do ? which are the best guidelines in this scenario ?

Is there any way to pass SOAP calls and results on a secure channel? Should
I use ssl/https or is there any other way? I think ssl can make the
comunication quite slow, don't it?

Thanks, regards, Davide.
Nov 5 '06 #2
Given that you are using ASMX, the following article I wrote a few years ago
should still be applicable.

http://msdn.microsoft.com/library/de...tpsecurity.asp

"Ing. Davide Piras" wrote:
Hi there
I've my .NET 2.0 C# WebApplication which exposes some WebMethod, I pass
tablename, username, password and I get a DataSet with some data (actually
the size of the dataset is not a problem since when there are more than 200
records I get the dataset page by page, using startindex and pagesize
parameters)...

.... everything works fine but I feel not safe since if someone sniffs the
webmethod call can call it with the same password and username and retrieve
my data as well... actually I expose Insert and Update methods as well so
someone can even write on my database, knowing username and password.

What can I do ? which are the best guidelines in this scenario ?

Is there any way to pass SOAP calls and results on a secure channel? Should
I use ssl/https or is there any other way? I think ssl can make the
comunication quite slow, don't it?

Thanks, regards, Davide.
Nov 6 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Joseph Geretz | last post by:
I recently upgraded my server to Windows 2003. The first thing I noticed is that my sample WebService pages no longer worked. The Invoke test button is missing. This is addresed by the following KB...
8
by: Komandur Kannan | last post by:
We have a smart device application running on handhelds(Symbol MC9000G). The backend is Oracle and a middle tier web services development done in Vb.net. We use pessimistic Locking due to...
1
by: UJ | last post by:
I've got a network engineer who is absolutely anal about network security. He is questioning how secure web services are and I can't answer him with definitive answers. Do web services run over...
0
by: suresh.csharp | last post by:
Hi, I have developed Web services based on WSE3.0 X.509 Certificate authentication for client and server. I have tested in VS 2005 both services and client application working fine with out any...
3
by: weird0 | last post by:
I have worked on webservices as i can code them...? But what is the underlying concept behind it? How does it work? Somebdy told me that webservices do not have security? Why is that so ? Its...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.