WCF and Information Disclosure Threats

Posted by Hartmut Wilms on Sep 26, 2008

Sections

Architecture & Design,

Development,

Enterprise Architecture

Topics

Web Services ,

Security ,

SOA ,

.NET

Tags

WCF ,

Metadata

Anil John writes about Information Disclosure Threats and Web Services. In his article he delves into the details of how potential attackers use to prepare their attacks and how some common web service practices ‘support’ these threats.

Anil speaks of “pre-operational surveillance”, which is classified as “Information Disclosure Threats” in the IT world. He examines two possible threats in detail:

1. SOAP Fault Error Messages
2. WSDL Scanning/Foot-Printing/Enumeration

On SOAP Fault Error Messages he says that

… the favorite tactic of attackers is to try to deliberately cause an exception or fault in a web service in the hope that sensitive information such as connection strings, stack traces and other information may end up in the SOAP fault.

Anil provides two countermeasures, first he refers to “the 'Exception Shielding Pattern' as noted in the Patterns & Practices Book 'Web Service Security' [Free PDF Version]” and in the ‘WCF Security Guide’ [Free PDF Version]. He points out that alternatively you can “use a hardware device like a XML Security Gateway”, and says that he has “direct experience with Layer 7 as well as Cisco/Reactivity Gateways and happen to know that they support this functionality”.

Steve Loughran, formerly of the Apache Axis team, comments that

Apache Axis defaults to not sending full stack traces over the wire […]. You don't need to by extra XML security hardware just to lock down the basics of an endpoint.

He also refers to the Axis security guide.

Regarding the second threat, Metadata publishing, Anil states:

The type of information found in a WSDL, and which can be obtained simply by appending a ?WSDL to the end of a service endpoint URL, can be an extremely useful source of info for an attacker seeking to exploit a weakness in a service, and as such should not be provided or simply turned off.

If metadata publishing is turned off, how do clients know how to address/invoke web services? According to Anil a possible solution is to incorporate an “Enterprise Registry/Repository that has the appropriate Access Control Mechanisms on it” and refrain from “automatic generation of WSDL” by “following a contract-first approach”.

Dominick Baier explains some details about WCF metadata publishing in his article on “Securing WCF Metadata”. He writes about securing metadata publishing by

• enforcing SSL,
  
• exposing a Metadata Exchange (MEX) endpoint by developing a custom binding that implements IMetadataExchange and incorporates the full WCF security feature set (the standard mex* bindings don’t support security), or
  
• allowing consumers “to retrieve metadata from a WCF service […] via WMI”.
  

Dominick points at techniques for detecting metadata retrieval requests in his post “Authorizing Access to WCF Metadata”.

1. Back to top

   ServiceDebugBehavior.IncludeExceptionDetailInFaults Property

   by Kelly Collins

   The WCF ServiceDebugBehavior provides an IncludeExceptionDetailsInFaults property that specifies whether to include managed exception information in the detail of SOAP faults returned to the client. It defaults to false and can be set in the service config file.

   Reply

• Older >