tags:

views:

181

answers:

3
+1  Q: 

How do I protect a public ASMX page that posts important data to my database

I have a site in development with several web services (ASMX) that post important data to my database. When I navigate to the ASMX file in my browser, I can fill in the form with the parameters and post to the DB. If someone finds the URL to my WS, they can severely alter my database. I want to prevent people from being able to post to my WS publicly. So far, I've thought of two things that may help but I'd like to know if there are any other ways:

  • Check to see if the HTTP Referrer to the WS method is the domain the WS is on
  • Add an additional parameter called Key to all important WS methods and have this be an encrypted "password." Then encrypt my stored password on the WS side and compare if the keys match.

If there are any other best practices or techniques I can use to secure my WS, please share!

A: 

If the referrer is in the same domain then an easy way would be to set a cookie in the referring page and then check for the existence of the cookie in the ASMX (plus whatever other checks you want to implement). Note that the domain has to be the same otherwise this technique won't work.

Reza  2010-01-19 17:21:21
+1  A: 

The easiest thing to do is to just disable that test page. You can do this by adding the following to your web.config of your web service:

<webServices>
<protocols >
<remove name="HttpGet"/>
<remove name="HttpPost"/>
<remove name="HttpPostLocalhost"/>
</protocols>

Also, here is a decent article on other ways to secure your web service, including adding authentication in the soap header.

AaronS  2010-01-19 17:25:17
Thanks! Those `web.config` changes were what I was looking for to disable the test page form fields. I'll also look into the SOAP headers moving forward with any of my web services.
Mark Ursino  2010-01-20 13:57:50
+4  A: 

Some of these might be helpful to you:

Also please note that the test webpage (which shows sample tetboxes) should only be accessible from the local machine, if it is viewable from other machines there is probably a configuration issue going on.

GrayWizardx  2010-01-19 17:27:21
+1 SOAP security headers are the best way to go.
Joel Etherton  2010-01-19 17:28:26
Thanks for the useful links. I didn't end up marking this as the answer because the configuration changes were really what I was looking for mostly, but these links will be useful moving forward for any public-facing web services I create from now on. Thanks!
Mark Ursino  2010-01-20 13:56:50

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?