tags:

views:

45

answers:

5
+2  Q: 

Web Services: Secure? Asp.net

Hey there,

Something I can't wrap my head around is how secure web services are.

For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services.

I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message.

I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms.

Thanks Jacques

+1  A: 

Our webservices are encrypted through SSL (the certificates part) which is https://www.yousite.com instead of http://www.yoursite.com. This just provides basic encryption for the data stream. See SSL.

They are also authenticated by the authentication method that is chosen for our website. If it's is windows auth, or forms auth. See the msdn page on ASP .NET authentication.

msarchet  2010-07-29 14:20:00
Ok, so I get the first part about SSL, but are you saying that normal Asp.net forms authentication can be used here too? So in essence, without SSL a web service can be authenticated much like a web page without SSL using the same Forms Authentication mechanism?
Jacques  2010-07-29 14:40:43
@Jacques, So think about it like this, the webservice is essentially a page on your site. If your site requires a login then the webservice won't work if that page requires the log in
msarchet  2010-07-29 15:04:14
But Forms authentication requires a cookie that is passed back and forth with the authentication ticket. To my knowledge web services don't do that do they? So how would you achieve forms authentication in the case of web services?
Jacques  2010-07-29 15:23:18
@Jacques actually now that I think about it forms is the only one you can't do, but here http://msdn.microsoft.com/en-us/library/ff649362.aspx#secnetch10_passingcredentialsforauth msdn article on webservices auth
msarchet  2010-07-29 16:07:11
So the interesting question for me is: How is it on Asp.net pages when you make Ajax calls to populate cascading lists that it somehow is still authenticated?
Jacques  2010-08-02 09:41:30
+1  A: 

Authentication: Consider securing your web services with SSL. Distribute client certificates to those who need to consume those web services. Configure IIS to "Require Client Certificates".

Authorization: Consider developing a scheme where the user is sending a username and password of some kind in the querystring. When you can determine that those credentials are permitted to perform the operation that they're requesting, you can allow them to proceed. Indeed, this is custom logic that the application developer needs to write. There are no built-in conventions in ASP.NET web service for this.

The SSL encryption occurs at a lower level from the application. It's the applications job to then determine who is allowed to perform what operations.

p.campbell  2010-07-29 14:20:45
A: 

To expound on previous answers: Web Services are as secure as you make them. In general, there are two types of security. Securing the Transmission, and securing the access. Use of SSL can make your transmission secure (HTTPS://). Using Authentication (demand a username and password) allows you to secure access.

Web Services accessed via public internet (that is: not a VPN or only internal resources) are, indeed, less secure than Windows applications, since anyone can have access to them and, potentially, attempt to break your security. By using both transmission and access security, you can mitigate that to acceptable levels (acceptable to the point that banks use them for financial transactions, and you don't know paranoid until you've talked to a banker who has to face an FDIC inspection).

AllenG  2010-07-29 14:26:11
A: 

All web applications are exposed to the attacker and are a great surface area for attack. The biggest problem with web services, such as SOAP(WCF) is that often times the programmer doesn't realize that its trivial for an attacker to gain full access to the service. Often times programmers expose nasty functionally like execute_sql_query().

You should read the entire OWASP top 10.

Rook  2010-07-29 15:20:47
A: 

Here's a primer on Securing XML Web Services Created using ASP.NET.

Andrew Lewis  2010-07-29 15:38:36

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?