The Hogg Blog : Web service security - Threats and Countermeasures

Web service security - Threats and Countermeasures - Part 3 : Message Validation

Threats

Message data may be malformed for malicious intentions such as injection attacks

Vulnerabilities

XML serialization helps validate some data types as XML data from the message is transformed into .Net data types – but this does not prevent against malicious content within a string being used for XML or SQL injection attacks etc.
Client side validation cannot be trusted by a service

Countermeasures

Assume that all input data is malicious until proven otherwise, and use message validation to protect against input attacks, such as SQL injection, buffer overflows, and other types of attacks.
See the Message Validation Design Pattern for a detailed analysis of detecting replayed web service messages:

See the Implementing Message Replay Detection Design Pattern for information on how to implement this pattern using Microsoft WSE 3.0
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch5_ImpMsgVal_WSE30.asp?frame=true
We also have a quickstart for this pattern available on our GotDotNet workspace - see http://practices.gotdotnet.com/projects/sopatterns

Published Wednesday, January 04, 2006 1:24 PM by Jason Hogg

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

No Comments