tags:

views:

91

answers:

4
+2  Q: 

How to prevent just anyone sending a request to my web service

I have an app in C# which serializes an object into xml into a http stream to my server. The server has some php which runs a stored procedure in mysql with the xml data as its only parameter.

The problem is that someone could very easily just send up an xml of the same format with a whole lot of entires that would ruin the database with crap data. What are my options to prevent this from happening?

I'm pretty new to web requests so I don't even know where to start.

+1  A: 

You should use some form of authentication and authorization. In SOAP based services there's the WS-Security extension. Here's another article on MSDN that explains how this works. However I have no idea what is the support for those standards on the PHP side. If you are using some custom protocol you could simply require a username/password to be sent along with the request and verified on the server side.

Darin Dimitrov  2010-07-27 11:39:24
will check it out, I tried doing it with soap but couldn't quite get my head around it
Jimmy  2010-07-27 12:20:11
+2  A: 

We require a username and password to be supplied to all input parameter lists which is validated against our back-end user login system before a request is processed. Low tech, but works for us.

Dr Herbie  2010-07-27 11:42:49
firin' up my packet sniffer...
Will  2010-07-27 11:46:50
It is, of course on HTTPS -- is it still vulnerable to packet sniffing?
Dr Herbie  2010-07-27 11:55:36
@Dr Herbie, no, HTTPS is not vulnerable to packet sniffing.
Darin Dimitrov  2010-07-27 11:56:50
I was thinking of something like this but wasnt sure how effective it would be. If it works, may be all I need. Cheers
Jimmy  2010-07-27 12:17:04
@Darin Dimitrov : Phew!
Dr Herbie  2010-07-27 12:33:47
+1  A: 

Are you planning on having this client out-there in public hands on the internet? If so it may be impossible to prevent people using different software as they could always reverse engineer the application to find out what security mechanism you are using. As a result your only defence will be to validate the data thoroughly on the server.

You might get around this by modifying the client to require a user name and password that gets sent with data to your server using HTTPS, that way at least you know who did the damage. If however you have a more closed audience you could use some kind of client certificate system or IP filtering.

Martin Brown  2010-07-27 11:52:54
Yeah there will be lots of clients (hopefully, if is sells well...) Made me think, the way the data is stored, it would be simple to fix an attack by just wiping that single users data
Jimmy  2010-07-27 12:19:18
A: 

Our solution (and we're hopelessly naive in this respect) is that we generate a unique key per session on the server in a non-uniform manner (ie. it is difficult to predict what the "next" value would be), and give that to the client code as part of its login process. It is then required to pass that value back to use for each request as the first parameter.

This ensures that:

  • Logging out invalidates the authentication key
  • Username and password is not sent in cleartext for the web service requests

This does not ensure that:

  • Only our application code can talk to the server (the user might intercept the request, copy the key, and generate his own requests, as long as the key is still considered valid.)

What you're going to find is that as long as code on the users machine is talking to your server, you have no control over the code on that machine, only the code on that server. So if the users machine is sending you requests originating from a different program, that looks just like they would and should if your code generated them, you're going to have a hard time figuring out that this is what is happening.

Lasse V. Karlsen  2010-07-27 12:00:33
kind of like a nonce right? I thought about maybe having two http requests in a row - one just requests a nonce or key like yours, which is only valid for a short time, and is sent back with the xml along with user and password. Still open to having someone request a key and sending it back, but I guess its at least another measure
Jimmy  2010-07-27 12:25:04

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?