tags:

views:

70

answers:

2
Q: 

Web Service with AJAX Security Best practices

hi, i am using script manager to call a web method on client side but as you know web methods cant work from user control, so you have to create a web service to do that.

this is going fine with me but i am having the following concerns

  • if you use web method in ASPX page the code is invisible to the user so how can i prevent users from browsing to my service and see my code and only let the page or user control call the web service.
  • is there anyway users can high jack my code like Cross Site Scripting, Pinging, Etc... with this approach.
  • what is exactly visible to the client with this approach, the java script code block that i used to call the service or everything ?
  • any extra Advice would be totally appreciated.

thanks in advanced.

+1  A: 

All the javascript will be visible, but that's not really an issue.

Adding the attribute EnableSession to your webmethod will let you use the same security code that you have in pages.

Tom Clarkson  2009-05-07 11:28:03
thanks man, if JavaScript code is clear, it is not an issue as you said, but i don't want the logic of my service class and function to show up in the browser.so with EnableSession my web service will be exactly like a web page ?
 2009-05-07 11:55:31
Basically, yes. The web service implementation is compiled serverside code. EnableSession is more about data though - it lets you get details of the user that logged in on the web page so you don't expose any private data publicly.
Tom Clarkson  2009-05-07 12:07:48
marvelous, can you tell me please if you know how can i prevent user from going to www.mysite/myservice.asmx i want to hide it make it both invisible and inaccessible
 2009-05-07 12:13:20
That's pretty much the default behaviour - it shows no UI except when called from the local machine, requests are post rather than get, and you can have the code throw an exception if the user is not properly authenticated or if a session variable set by the page is missing.
Tom Clarkson  2009-05-07 12:50:10
+1  A: 

Without going into .NET specifies, since that isn't my field:

Anything which runs on the client (e.g. JavaScript) is visible to users who can modify it, within the confines of their system, as much as they want.

Anything which runs on the server is not visible to users.

For a user to be able to click a button and have code on the server run, the browser must send an HTTP request to the server. The simple approach is to use a form. This provides a standard means to structure data.

More complicated approaches involve using JavaScript to construct the request explicitly (rather than just letting the browser take care of it). This lets the data be submitted using other methods than "Visiting a new page", which gives the flexibility needed for Ajax.

With any approach, you essentially define a public API which is accessible via HTTP.

There are two broad classes of attack that you need to defend against (it doesn't matter if Ajax is involved or not, its still the same type of API).

  1. Direct attacks - sanity check your data, don't let users edit things without authentication.
  2. Indirect attacks - in which a third party tricks a user into entering bad data (e.g. via a link on another site that asks their browser to make the HTTP request to your site). Defenses include things like requiring the client to request a one-use token before their can submit data (e.g. by generating a hidden input when the form is served up to stop third parties using their own form with malicious data and submitting users to your site with JS).

In a nutshell: Use the same defenses you would use if JS wasn't involved.

David Dorward  2009-05-07 11:33:44
thanks man, but as i read in scutt blog ASP.NET AjAX prevents this, or i am wrong ? one more thing is how can i i prevent user from going to www.mysite/myservice.asmx i want to hide it make it both invisible and inaccessible .
 2009-05-07 11:53:09
can you please give me web links to some articles about the those 2 dangerous attacks, or their official name so i can search for them.
 2009-05-07 12:10:59
If the browser has to make requests to myservice.asmx, then it can't be invisible or inaccessible. Any server side code in it, will, of course be unavailable to clients, but the HTTP API it exposes must let clients interact with it over HTTP.
David Dorward  2009-05-07 12:15:33
oh, now it is clear, so only HTTP API.i have used this in web config <add name="ScriptHandlerFactory" verb="*" path="*.asmx" type="System.Web.HttpForbiddenHandler" preCondition="integratedMode" />it works in blocking any direct access to web service, and calling it from client side from page still works fine, what annoys me is the 403 in fiddler while checking my code.
 2009-05-07 12:28:53

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?