Tutorial :Web Services: Secure? Asp.net



Question:

Something I can't wrap my head around is how secure web services are.

For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services.

I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message.

I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms.

Thanks Jacques


Solution:1

If you are using ASP.NET to create a response / request Service you have only 3 options

  • ASMX
  • WCF
  • Normal .NET pages (or handlers) to process requests

as you specify Services, you can choose between ASMX and WCF then (you can read the difference between ASMX and WCF in my answer here)

keep in mind this

ASMX is considered deprecated technology and replaced by WCF. So if you are going to start new development which requires exposing reusable services, WCF is the way to go.

This days, there is a common pattern when we need to secure Services, and that's using a session key.

The Service normally has a Method for Login where it gets a User and some kind of Password (normally hashed, salted, etc) and that returns a "ticket" that has a limit of time (slided or not - means per each call to a method the period get's reseted or not), and all calls need to have that ticket included in the message body.

Services API like Magento and others uses this.

Or having a pre generated key that is given to the user / application to be used with every call

Services API like Campaign Monitor and MailChimp and others uses this.

The other normal way is to have the user and other credential in the message header all the time.

Services API like SuperOffice CRM and others uses this.

None of this services uses SSL, as I would only use if I really needed to protected the data in the "wire" keeping in mind that SSL expands the response time on every call made.

I hope this helps


Solution:2

Authentication: Consider securing your web services with SSL. Distribute client certificates to those who need to consume those web services. Configure IIS to "Require Client Certificates".

Authorization: Consider developing a scheme where the user is sending a username and password of some kind in the querystring. When you can determine that those credentials are permitted to perform the operation that they're requesting, you can allow them to proceed. Indeed, this is custom logic that the application developer needs to write. There are no built-in conventions in ASP.NET web service for this.

The SSL encryption occurs at a lower level from the application. It's the applications job to then determine who is allowed to perform what operations.


Solution:3

Our webservices are encrypted through SSL (the certificates part) which is https://www.yousite.com instead of http://www.yoursite.com. This just provides basic encryption for the data stream. See SSL.

They are also authenticated by the authentication method that is chosen for our website. If it's is windows auth, or forms auth. See the msdn page on ASP .NET authentication.


Solution:4

For XML Web-Services you should take into account the following best practices:

  • Secure the transport Layer: the infromation or data in XML cannot be interrupted and read in transit.
  • Mask internal resources: Use Network Addres Translation (NAT).
  • Implement XML filtering: With the heklp of XMLand SOAP, affective filtering policies can be set to a content level that requieres a fully parsed or processed XML document.
  • Validate, Transform, Sign and Timestamp al messages: Use XML Schemma Validation, use XSLT for transforming XML, sing all messages, use Network Time Protocool (NTP) for synchronizing all XML nodes to a single authoritative reference time source.
  • Encrypt message fields.
  • Implement secure auditing.
  • Use existing security methods such as HTTPS.
  • Perform XSL transformations on the server.

Source: EC-Council Secure Programmer.


Solution:5

To expound on previous answers: Web Services are as secure as you make them. In general, there are two types of security. Securing the Transmission, and securing the access. Use of SSL can make your transmission secure (). Using Authentication (demand a username and password) allows you to secure access.

Web Services accessed via public internet (that is: not a VPN or only internal resources) are, indeed, less secure than Windows applications, since anyone can have access to them and, potentially, attempt to break your security. By using both transmission and access security, you can mitigate that to acceptable levels (acceptable to the point that banks use them for financial transactions, and you don't know paranoid until you've talked to a banker who has to face an FDIC inspection).


Solution:6

All web applications are exposed to the attacker and are a great surface area for attack. The biggest problem with web services, such as SOAP(WCF) is that often times the programmer doesn't realize that its trivial for an attacker to gain full access to the service. Often times programmers expose nasty functionally like execute_sql_query().

You should read the entire OWASP top 10.


Solution:7

Here's a primer on Securing XML Web Services Created using ASP.NET.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »