InfoQ

News

WCF and Information Disclosure Threats

Posted by Hartmut Wilms on Sep 26, 2008 02:33 AM

Community
.NET,
SOA
Topics
Security ,
Web Services
Tags
WCF ,
Metadata

Anil John writes about Information Disclosure Threats and Web Services. In his article he delves into the details of how potential attackers use to prepare their attacks and how some common web service practices ‘support’ these threats.

Anil speaks of “pre-operational surveillance”, which is classified as “Information Disclosure Threats” in the IT world. He examines two possible threats in detail:

  1. SOAP Fault Error Messages
  2. WSDL Scanning/Foot-Printing/Enumeration

On SOAP Fault Error Messages he says that

… the favorite tactic of attackers is to try to deliberately cause an exception or fault in a web service in the hope that sensitive information such as connection strings, stack traces and other information may end up in the SOAP fault.

Anil provides two countermeasures, first he refers to “the 'Exception Shielding Pattern' as noted in the Patterns & Practices Book 'Web Service Security' [Free PDF Version]” and in the ‘WCF Security Guide’ [Free PDF Version]. He points out that alternatively you can “use a hardware device like a XML Security Gateway”, and says that he has “direct experience with Layer 7 as well as Cisco/Reactivity Gateways and happen to know that they support this functionality”.

Steve Loughran, formerly of the Apache Axis team, comments that

Apache Axis defaults to not sending full stack traces over the wire […]. You don't need to by extra XML security hardware just to lock down the basics of an endpoint.

He also refers to the Axis security guide.

Regarding the second threat, Metadata publishing, Anil states:

The type of information found in a WSDL, and which can be obtained simply by appending a ?WSDL to the end of a service endpoint URL, can be an extremely useful source of info for an attacker seeking to exploit a weakness in a service, and as such should not be provided or simply turned off.

If metadata publishing is turned off, how do clients know how to address/invoke web services? According to Anil a possible solution is to incorporate an “Enterprise Registry/Repository that has the appropriate Access Control Mechanisms on it” and refrain from “automatic generation of WSDL” by “following a contract-first approach”.

Dominick Baier explains some details about WCF metadata publishing in his article on “Securing WCF Metadata”. He writes about securing metadata publishing by

  • enforcing SSL,
  • exposing a Metadata Exchange (MEX) endpoint by developing a custom binding that implements IMetadataExchange and incorporates the full WCF security feature set (the standard mex* bindings don’t support security), or
  • allowing consumers “to retrieve metadata from a WCF service […] via WMI”.
Dominick points at techniques for detecting metadata retrieval requests in his post “Authorizing Access to WCF Metadata”.

Related Sponsor

Red Gate Software makes ingeniously simple tools for over 500,000 SQL Server and .NET professionals.

1 comment

Watch Thread Reply

ServiceDebugBehavior.IncludeExceptionDetailInFaults Property by Kelly Collins Posted Sep 30, 2008 4:02 PM

  1. Back to top

    ServiceDebugBehavior.IncludeExceptionDetailInFaults Property

    Sep 30, 2008 4:02 PM by Kelly Collins

    The WCF ServiceDebugBehavior provides an IncludeExceptionDetailsInFaults property that specifies whether to include managed exception information in the detail of SOAP faults returned to the client. It defaults to false and can be set in the service config file.

    Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.