Sign In
The Hogg Blog
Envisaging the Future by Reflecting on the Past
Translate This Page
Translate this page
Powered by
Microsoft® Translator
Common Tasks
Blog Home
Email Blog Author
About
Share this
RSS for comments
RSS for posts
Atom
Search Form
Advanced search options...
Search In:
Everything
Blogs
Forums
People
Groups
Places
Pages
Date range:
All Time
Last Year
Last 6 Months
Last 3 Months
Last Month
Last Week
Last Two Days
Tag Cloud
"M"
C#
Cloud
Composite Application
Design Patterns
Distributed Application
DSL
Education
F#
Fun
Grid
Home computing
Oslo
Pages
PDC2008
PowerShell
S+S
Seattle
SecPAL
Security
Service Factory
SOA
Software Factories
Turtle Graphics
Web Service Security
Monthly Archives
Archives
October 2011
(1)
January 2011
(3)
November 2010
(1)
July 2010
(1)
June 2010
(1)
May 2010
(1)
April 2010
(1)
November 2009
(1)
October 2009
(2)
September 2009
(3)
January 2009
(3)
December 2008
(4)
November 2008
(1)
October 2008
(2)
June 2008
(2)
May 2008
(1)
March 2008
(2)
November 2007
(3)
October 2007
(1)
August 2007
(5)
July 2007
(4)
June 2007
(4)
May 2007
(3)
April 2007
(1)
August 2006
(3)
July 2006
(2)
June 2006
(1)
May 2006
(4)
April 2006
(6)
March 2006
(3)
February 2006
(3)
January 2006
(6)
December 2005
(7)
November 2005
(4)
Web service security - Threats and Countermeasures - Part 3 : Message Validation
MSDN Blogs
>
The Hogg Blog
>
Web service security - Threats and Countermeasures - Part 3 : Message Validation
Web service security - Threats and Countermeasures - Part 3 : Message Validation
Jason Hogg - MSFT
4 Jan 2006 4:24 PM
Comments
0
Threats
Message data may be malformed for malicious intentions such as injection attacks
Vulnerabilities
XML serialization helps validate some data types as XML data from the message is transformed into .Net data types – but this does not prevent against malicious content within a string being used for XML or SQL injection attacks etc.
Client side validation cannot be trusted by a service
Countermeasures
Assume that all input data is malicious until proven otherwise, and use message validation to protect against input attacks, such as SQL injection, buffer overflows, and other types of attacks.
See the Message Validation Design Pattern for a detailed analysis of detecting replayed web service messages:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch5_MsgVal.asp?frame=true
See the Implementing Message Replay Detection Design Pattern for information on how to implement this pattern using Microsoft WSE 3.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch5_ImpMsgVal_WSE30.asp?frame=true
We also have a quickstart for this pattern available on our GotDotNet workspace - see
http://practices.gotdotnet.com/projects/sopatterns
0 Comments
Leave a Comment
Name
Comment
Please add 1 and 7 and type the answer here:
Post