Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Protecting Web Services

Tags:

c#

web-services

protection

I've got a WebService project that we've created to expose some methods to our clients (specifically if they call one of the methods it will trigger an event on our servers) that they can call in their own C# projects (some clients will be doing web form apps and some will be doing it on their internal site).

Due to the nature of the method, one of the parameters is a string which identifies who the client is (so we can trigger the appropriate event) and I'm not overly confident this is enough to prevent people from sending random data until they stumble upon one of the valid identifiers.

What is the standard way of protecting something like this from abuse? Most of the tutorials I find don't seem to mention anything about keeping them secure. Thanks!

like image 967
BarrettJ Avatar asked Dec 17 '09 20:12

BarrettJ

People also ask

Does webservice can be made secure?

Security is critical to web services. However, neither XML-RPC nor SOAP specifications make any explicit security or authentication requirements.

What is web service in cyber security?

Web Services Security (WS Security) is a specification that defines how security measures are implemented in web services to protect them from external attacks. It is a set of protocols that ensure security for SOAP-based messages by implementing the principles of confidentiality, integrity and authentication.

What are the two most common concerns when using web services?

Authentication and key management. Packaging of attachments to messages. XML Packaging. Reliable messaging (delivery, non-duplication, ordering) for the case in which the transport layer (such as TCP under the HTTP) doesnot provide this.

1 Answers

Daniel Vassallo is correct. You will want to use a X509 certificate to verify that the person calling the service is legitimate. However this does raise the complexity of the solution a lot. You will want to use Microsoft WSE and likely a purchased 3rd party component.

Without that, you can use a user name and password passed in. However, there would need to be some shared algorithm to hash the information based on date, time, etc.. without the hash, you open yourself up to a hack much more than not. Even with SSL, as a dictionary attack could eventually break in.

like image 134
Clarence Klopfstein Avatar answered Oct 13 '22 19:10

Clarence Klopfstein
Sign in to Comment

Related questions

UserControls in Class Library
Multiple selection in a TreeView
Explicit implementation of interface's GetEnumerator causes stack overflow
Load csv into oleDB and force all inferred datatypes to string
How do WPF Markup Extensions raise compile errors?
Open source Tool to find unreachable/unused c# code [closed]
How-to: Run existing Word VBA Macros from C# Ribbon Addin
How to subtract one audio wave from another?
TryUpdateModel with a currency formatted value?
How do I delegate an AsyncCallback method for Control.BeginInvoke? (.NET)
Is a variable binding to a collection item possible
Where to keep things like connectionstrings in an IoC pattern?
A method that executes any time a class property is accessed (get or set)?
GroupPrincipal.Members.Remove() doesn't work with a large AD group
How to speed up generation of Word files from C#?
Requested Execution Level for a dll
Can anyone recommend any good UK based SMS gateways for sending and receiving SMS using C#?
Scrolling to selected Treeviewitem within a scrollview
C# Missing MSVCR100.dll
C# and Arrow Keys

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!