Can a WCF service w/ BasicHttpBinding without a MEX Endpoint be exploited by absolute strangers?

Question

From what I understand: If you don't have a MEX endpoint / WSDL, your service is basically non-discoverable. Only people who have knowledge of your data contract should be able to consume your service.

Does this assertion hold water, or are there ways for malicious denizens of the internet to figure out how to invoke/consume services that have no MEX endpoint?

EDIT: As Andrew pointed out, this strategy should not be considered to be truly secure. I'm wondering more along the lines of if it is safe from random abuse during a QA phase with external consumers.

Answer 1

Depends on your definition of secure. It's a case of security by obscurity, which might be fine for your personal to do list service, but unnaceptable for a financial app.

SOAP etc are not /that/ complicated, so it's not impossible that a hacker could guess some inputs, although depending on the service, it could be very unlikely (even mathematically unfesable). However if your distribute a client which could be reverse engineered, or if someone manages to packet sniff legitimate use of your service, then they could almost certainly exploit it?

Answer 2

People (hackers) use port sniffers to find ports where there is something listening. Then they start probing it with data and see what comes back. It doesn't take much work to figure out this is a port that want a SOAP message. Basically the errors returned will tell you as much. So no security by obscurity is no security at all and you might as well publish the URL.

The MEX part is only there to help others create service contract and never a requirement. Take a REST or JSON service for example, there is no concept of a MEX endpoint.