http://blogs.msdn.com/thehoggblog/pages/504526.aspxChallenge A subject that I still see a lot of misunderstanding around is how best to use the UsernameToken when using a user id and password as the basis of authentication for a Web service. Recommendations First and foremost ensure you are protectingen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/thehoggblog/pages/504526.aspx#9392413Tue, 03 Feb 2009 05:25:34 GMT91d46819-8472-40ad-a661-2c78acb4018c:9392413Avkash<p>hi!!</p> <p>Actually i m working for development of &quot;web services security assessment tool &quot; and i need some help to understand &quot;how one can perform bufferoverflow attack on any web service and how we can stop them???&quot;</p> <p>i kindly request u 2 provide any help u can....</p>http://blogs.msdn.com/thehoggblog/pages/504526.aspx#9394505Wed, 04 Feb 2009 07:13:23 GMT91d46819-8472-40ad-a661-2c78acb4018c:9394505Jason Hogg<p>Hi Avkash, I am not sure if you would necessarily be performing a buffer overflow attack on a service, rather then platform on which the service is running. In terms of how you prevent buffer overflow attacks assuming you don't own the platform, a good place to start would be to specify max message sizes on your incoming messages. Not entirely sure if I understood you - so hopefully this helps. </p> http://blogs.msdn.com/thehoggblog/pages/504526.aspx#9825250Thu, 09 Jul 2009 04:16:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:9825250Ross Mallett<p>&quot;In addition to verifying the hash, WSE also signs the message with HMAC-SHA1 using 16 bytes of key data from the hash keys.&quot;</p> <p>Could you elaborate on this? I'm trying to validate the HMAC-SHA1 SignatureValue from a WSE3 client and I cannot derive the same SignatureValue. </p>