Web Services: Secure? Asp.net

Question

Something I can't wrap my head around is how secure web services are.

For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services.

I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message.

I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms.

Thanks Jacques

score 5 · Answer 1 · edited May 23 '17 at 12:18

If you are using ASP.NET to create a response / request Service you have only 3 options

ASMX
WCF
Normal .NET pages (or handlers) to process requests

as you specify Services, you can choose between ASMX and WCF then (you can read the difference between ASMX and WCF in my answer here)

keep in mind this

ASMX is considered deprecated technology and replaced by WCF. So if you are going to start new development which requires exposing reusable services, WCF is the way to go.

This days, there is a common pattern when we need to secure Services, and that's using a session key.

The Service normally has a Method for Login where it gets a User and some kind of Password (normally hashed, salted, etc) and that returns a "ticket" that has a limit of time (slided or not - means per each call to a method the period get's reseted or not), and all calls need to have that ticket included in the message body.

Services API like Magento and others uses this.

Or having a pre generated key that is given to the user / application to be used with every call

Services API like Campaign Monitor and MailChimp and others uses this.

The other normal way is to have the user and other credential in the message header all the time.

Services API like SuperOffice CRM and others uses this.

None of this services uses SSL, as I would only use if I really needed to protected the data in the "wire" keeping in mind that SSL expands the response time on every call made.

I hope this helps

score 3 · Answer 2 · answered Jul 29 '10 at 14:20

Authentication: Consider securing your web services with SSL. Distribute client certificates to those who need to consume those web services. Configure IIS to "Require Client Certificates".

Authorization: Consider developing a scheme where the user is sending a username and password of some kind in the querystring. When you can determine that those credentials are permitted to perform the operation that they're requesting, you can allow them to proceed. Indeed, this is custom logic that the application developer needs to write. There are no built-in conventions in ASP.NET web service for this.

The SSL encryption occurs at a lower level from the application. It's the applications job to then determine who is allowed to perform what operations.

score 1 · Answer 3 · answered Jul 29 '10 at 14:20

1

Our webservices are encrypted through SSL (the certificates part) which is https://www.yousite.com instead of http://www.yoursite.com. This just provides basic encryption for the data stream. See SSL.

They are also authenticated by the authentication method that is chosen for our website. If it's is windows auth, or forms auth. See the msdn page on ASP .NET authentication.

answered Jul 29 '10 at 14:20

msarchet

15,104
2
43
66

Ok, so I get the first part about SSL, but are you saying that normal Asp.net forms authentication can be used here too? So in essence, without SSL a web service can be authenticated much like a web page without SSL using the same Forms Authentication mechanism? – Jacques Jul 29 '10 at 14:40
@Jacques, So think about it like this, the webservice is essentially a page on your site. If your site requires a login then the webservice won't work if that page requires the log in – msarchet Jul 29 '10 at 15:04
But Forms authentication requires a cookie that is passed back and forth with the authentication ticket. To my knowledge web services don't do that do they? So how would you achieve forms authentication in the case of web services? – Jacques Jul 29 '10 at 15:23
@Jacques actually now that I think about it forms is the only one you can't do, but here http://msdn.microsoft.com/en-us/library/ff649362.aspx#secnetch10_passingcredentialsforauth msdn article on webservices auth – msarchet Jul 29 '10 at 16:07
So the interesting question for me is: How is it on Asp.net pages when you make Ajax calls to populate cascading lists that it somehow is still authenticated? – Jacques Aug 02 '10 at 09:41

score 1 · Answer 4 · answered Dec 25 '10 at 00:16

For XML Web-Services you should take into account the following best practices:

Secure the transport Layer: the infromation or data in XML cannot be interrupted and read in transit.
Mask internal resources: Use Network Addres Translation (NAT).
Implement XML filtering: With the heklp of XMLand SOAP, affective filtering policies can be set to a content level that requieres a fully parsed or processed XML document.
Validate, Transform, Sign and Timestamp al messages: Use XML Schemma Validation, use XSLT for transforming XML, sing all messages, use Network Time Protocool (NTP) for synchronizing all XML nodes to a single authoritative reference time source.
Encrypt message fields.
Implement secure auditing.
Use existing security methods such as HTTPS.
Perform XSL transformations on the server.

Source: EC-Council Secure Programmer.

please tell me How to Mask internal resources ? what do u mean by Encrypt message fields ? — Mou, Dec 05 '16 at 11:13

score 0 · Answer 5 · answered Jul 29 '10 at 14:26

To expound on previous answers: Web Services are as secure as you make them. In general, there are two types of security. Securing the Transmission, and securing the access. Use of SSL can make your transmission secure (). Using Authentication (demand a username and password) allows you to secure access.

Web Services accessed via public internet (that is: not a VPN or only internal resources) are, indeed, less secure than Windows applications, since anyone can have access to them and, potentially, attempt to break your security. By using both transmission and access security, you can mitigate that to acceptable levels (acceptable to the point that banks use them for financial transactions, and you don't know paranoid until you've talked to a banker who has to face an FDIC inspection).

score 0 · Answer 6 · answered Jul 29 '10 at 15:20

All web applications are exposed to the attacker and are a great surface area for attack. The biggest problem with web services, such as SOAP(WCF) is that often times the programmer doesn't realize that its trivial for an attacker to gain full access to the service. Often times programmers expose nasty functionally like execute_sql_query().

You should read the entire OWASP top 10.

score 0 · Answer 7 · edited Dec 25 '10 at 03:21

0

Here's a primer on Securing XML Web Services Created using ASP.NET.

edited Dec 25 '10 at 03:21

John Saunders

160,644
26
247
397

answered Jul 29 '10 at 15:38

Andrew Lewis

5,176
1
26
31

Note that "ASP.NET Web Services" is a legacy technology and should not be used for new development. – John Saunders Dec 25 '10 at 03:21

Web Services: Secure? Asp.net

7 Answers7