Presented by Abhishek Kamalayagari. Basics of web services Threats and counter measures Security...
-
Upload
barry-mccarthy -
Category
Documents
-
view
213 -
download
0
Transcript of Presented by Abhishek Kamalayagari. Basics of web services Threats and counter measures Security...
Presented byAbhishek Kamalayagari
Basics of web servicesThreats and counter measuresSecurity based on WS-SecuritySecurity based on event logs
What a web service is An application stored on one machine that can
be accessed from another machine A web service has several web methods Three components -service broker -service provider -service requester
Web methods are remotely invoked using a Remote Procedure Call
Does everything using XML Used by a computer so XML
[WebService(Namespace = httptempuriorg)] [WebServiceBinding(ConformsTo = WsiProfilesBasicProfile1_1)] [ToolboxItem(false)] public class add SystemWebServicesWebService
[WebMethod] public string HelloWorld() return Hello World [WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =
resToString()web1web reference name and add-gt web service name
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Basics of web servicesThreats and counter measuresSecurity based on WS-SecuritySecurity based on event logs
What a web service is An application stored on one machine that can
be accessed from another machine A web service has several web methods Three components -service broker -service provider -service requester
Web methods are remotely invoked using a Remote Procedure Call
Does everything using XML Used by a computer so XML
[WebService(Namespace = httptempuriorg)] [WebServiceBinding(ConformsTo = WsiProfilesBasicProfile1_1)] [ToolboxItem(false)] public class add SystemWebServicesWebService
[WebMethod] public string HelloWorld() return Hello World [WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =
resToString()web1web reference name and add-gt web service name
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
What a web service is An application stored on one machine that can
be accessed from another machine A web service has several web methods Three components -service broker -service provider -service requester
Web methods are remotely invoked using a Remote Procedure Call
Does everything using XML Used by a computer so XML
[WebService(Namespace = httptempuriorg)] [WebServiceBinding(ConformsTo = WsiProfilesBasicProfile1_1)] [ToolboxItem(false)] public class add SystemWebServicesWebService
[WebMethod] public string HelloWorld() return Hello World [WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =
resToString()web1web reference name and add-gt web service name
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
[WebService(Namespace = httptempuriorg)] [WebServiceBinding(ConformsTo = WsiProfilesBasicProfile1_1)] [ToolboxItem(false)] public class add SystemWebServicesWebService
[WebMethod] public string HelloWorld() return Hello World [WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =
resToString()web1web reference name and add-gt web service name
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =
resToString()web1web reference name and add-gt web service name
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)
[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q
Soap requestSoap request
Soap responseSoap response
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Note Simple Object Access Protocol (SOAP) is an XML message format
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Name Abbreviation use
Extensible Mark up Language
XML Language
Universal Discovery Description and Integration
UDDI Discovery
Web services Description Language
WSDL Description
Simple Object Access Protocol
SOAP Request and receive messages
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP
headers-gtBasic authentication used over an
unencrypted communication channelCounter measures Use password digests Kerberos tickets
X509 certificates in SOAP headers for authentication
Use Windows authentication Use role-based authorization to restrict
access to web services
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Parameter manipulation vulnerabilities
Messages that are not digitally signed
Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to
provide privacy
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP
headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL
or IPSec This is applicable only if you control both endpoints
Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Disclosure of configuration data vulnerabilities
Unrestricted WSDL files available for download from the Web server
A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics
Weak exception handling
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Counter measures Authorize access to WSDL files using
NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to
prevent the dynamic generation of WSDL Capture exceptions and throw
a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent
tampering Duplicate messages are not detected because no
unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and
copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message
Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Counter measures Use an encrypted communication
channel for example SSL Encrypt the message payload to provide
message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed
Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Authentication requirementsPrivacy and integrity
requirementsResource access identitiesCode access security
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Web methods can accept strongly typed or weakly typed parameters
Strong parameters have type description by XSD schema
Consumers use this information to access web services
SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects
Sql injection can be counter attacked by input validation
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Example [WebMethod] public void CreateEmployee(string
name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as
string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string
dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length
format and range if( RegexIsMatch(empSSNd3-d2-
d4RegexOptionsNone)) Invalid social security number
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Web method can use the SystemXmlXmlValidatingReader class to validate the input data
using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData
XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema
httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new
ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)
Error details available from argsMessage
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Consumer calls it this way string xmlBookData = ltbook
xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt
BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
XSD schema ltxml version=10 encoding=utf-8 gt
ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Regular expressions ltxsdelement name=zipgt
ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
Decimal value to 2 digits ltxsdelement name=Salarygt
ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
User name and password ltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Username and password digestThe digest is a Base64-encoded SHA1 hash value
of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +
password)Kerboros ticketsltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
X509 certificatesltwsseSecurity
xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Web service end point authorization-can use urlauthorization to control access
to asmx files Web method authorizationUse declarative principal permission
demands[PrincipalPermission(SecurityActionDemand
Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string
empID)
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Digitally signing a soap messagehttpmsdnmicrosoftcomen-us
libraryms824659aspxDisabling auto generation of wsdl
ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Asymmetric encryption using X509 certificates
Symmetric encryption using shared keys
Symmetric encryption using custom binary tokens
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Bad example SystemException User not in managers
role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207
Web services can throw 3 types of exceptions
SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut
OfRange)
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Good example try EmployeeService service = new
EmployeeService() ServiceGiveBonus(empIDpercentage)
catch
(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage
EventLogEntryTypeError)
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Result of writeToEventLog could be one of the following
EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
SystemSecuritySecurityException will be thrown when we try to make an entry in to the log
Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM
CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to
New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
b) using the EventLogInstaller class in SystemDiagnostics namespace
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues
Event logging this security strategy work out with Windows NT windows 2000 windows XP
and windows Vista In the future additional research
work needs to be carried out to implement the same concept in
different platform to prevent the system with invalid access
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939
httpmsdnmicrosoftcomen-uslibraryff648643aspx
httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf
httpwww15secondscomissue010430htm
1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp
stampjsptp=amparnumber=4735939