BT

WCF and Information Disclosure Threats

by Hartmut Wilms on Sep 26, 2008 |

Anil John writes about Information Disclosure Threats and Web Services. In his article he delves into the details of how potential attackers use to prepare their attacks and how some common web service practices ‘support’ these threats.

Anil speaks of “pre-operational surveillance”, which is classified as “Information Disclosure Threats” in the IT world. He examines two possible threats in detail:

  1. SOAP Fault Error Messages
  2. WSDL Scanning/Foot-Printing/Enumeration

On SOAP Fault Error Messages he says that

… the favorite tactic of attackers is to try to deliberately cause an exception or fault in a web service in the hope that sensitive information such as connection strings, stack traces and other information may end up in the SOAP fault.

Anil provides two countermeasures, first he refers to “the 'Exception Shielding Pattern' as noted in the Patterns & Practices Book 'Web Service Security' [Free PDF Version]” and in the ‘WCF Security Guide’ [Free PDF Version]. He points out that alternatively you can “use a hardware device like a XML Security Gateway”, and says that he has “direct experience with Layer 7 as well as Cisco/Reactivity Gateways and happen to know that they support this functionality”.

Steve Loughran, formerly of the Apache Axis team, comments that

Apache Axis defaults to not sending full stack traces over the wire […]. You don't need to by extra XML security hardware just to lock down the basics of an endpoint.

He also refers to the Axis security guide.

Regarding the second threat, Metadata publishing, Anil states:

The type of information found in a WSDL, and which can be obtained simply by appending a ?WSDL to the end of a service endpoint URL, can be an extremely useful source of info for an attacker seeking to exploit a weakness in a service, and as such should not be provided or simply turned off.

If metadata publishing is turned off, how do clients know how to address/invoke web services? According to Anil a possible solution is to incorporate an “Enterprise Registry/Repository that has the appropriate Access Control Mechanisms on it” and refrain from “automatic generation of WSDL” by “following a contract-first approach”.

Dominick Baier explains some details about WCF metadata publishing in his article on “Securing WCF Metadata”. He writes about securing metadata publishing by

  • enforcing SSL,
  • exposing a Metadata Exchange (MEX) endpoint by developing a custom binding that implements IMetadataExchange and incorporates the full WCF security feature set (the standard mex* bindings don’t support security), or
  • allowing consumers “to retrieve metadata from a WCF service […] via WMI”.
Dominick points at techniques for detecting metadata retrieval requests in his post “Authorizing Access to WCF Metadata”.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

ServiceDebugBehavior.IncludeExceptionDetailInFaults Property by Kelly Collins

The WCF ServiceDebugBehavior provides an IncludeExceptionDetailsInFaults property that specifies whether to include managed exception information in the detail of SOAP faults returned to the client. It defaults to false and can be set in the service config file.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT