2

What is the best practice for sending potentially sensitive data to a web service via XML in C#?

If I knew the data I would be working with was completely trivial, I'd be inclined to use XmlSerialization, but the fact that serialization requires disk access to work properly concerns me - it seems like there is a possibility of sensitive data being stored on disk in temp files.

So if not XmlSerialization, then what is the best way to go?

  • 1
    "fact that serialization requires disk access to work properly" - this is your first wrong assumption. You can serialize into a memory stream. – Joe Nov 29 '11 at 21:16
  • 3
    http://stackoverflow.com/questions/542312/asp-net-access-to-the-temp-directory-is-denied, http://msdn.microsoft.com/en-us/library/ms733901.aspx ("Another threat that exists whenever you use XmlSerializer is related to write access to the system temporary folder. The XmlSerializer serialization engine creates and uses temporary serialization assemblies in this folder. You should be aware that any process with write access to the temporary folder may overwrite these serialization assemblies with malicious code.") –  Nov 29 '11 at 21:18
  • 1
    Does XmlSerialization require disk access?! Although the MSDN documentation says "writes to a file" I think it really just writes to a Stream. If the Stream is a MemoryStream, then there are no files involved. Have you observed it writing to a file? – Mike Goodwin Nov 29 '11 at 21:21
  • 3
    @Jordan: The serialization assemblies will be representations of the structure of your data, but not the data/content itself. Depending on which you are concerned about, this might be acceptable. – Joe Nov 29 '11 at 21:37
  • 1
    Close voters, I don't see how this is off-topic. – Joe Nov 29 '11 at 21:38
  • 1
    @Joe: It's not, but you do tend to get a few overly zealous admins -- especially the ones that just got the power to vote to close. :) – Randolpho Nov 29 '11 at 21:41

3 Answers3

3

When using the XmlSerializer, the temporary files that are created only contain type information - i.e. temporary assemblies representing the type of the data transfer objects. They do not contain the actual data of the instantiated objects itself. The type information may be sensitive, but probably is not.

The threats mentioned in the links in your comments above are about the possibility of injection of malicious code by an attacker overwriting these generated assemblies - not the disclosure of data.

In fact, WCF will use the DataContractSerializer by default, rather than the XmlSerializer. This link

http://msdn.microsoft.com/en-us/library/ms733135.aspx

Explains how to prevent the DataContractSerializer from loading malicious types by creating a known types list (of strongly named types) in your config file or in code. Then the problem is limited to keeping your config file secure...

Can I stop now ;o)

Mike Goodwin
  • 8,810
  • 2
  • 35
  • 50
2

Use WCF with a binding such as WsHttpBinding configured for TLS.

Edit

The DataContractSerializer, which is the default serialization engine used in WCF, does not require temporary serialization assemblies like the XmlSerializer.

If you are accessing a web service in general, I suggest using a WCF proxy to do so. If you are only concerned with the serialization and have perhaps already written all the SOAP for your request, etc., then you can use the DataContractSerializer without worry.

That said: it's important to note that the temporary serialization assemblies do not store the data, they're just an optimization to speed up the XML parsing. There's an attack vector to replace the assemblies, but that requires access to the server in the first place, and if you've got that sort of access the sensitive data can be retrieved in other ways.

Randolpho
  • 55,384
  • 17
  • 145
  • 179
  • One line answers aren't that useful. **Why** would this be a solution? – ChrisF Nov 29 '11 at 21:23
  • This answers the title question very well (in 1 line), not the concerns in the body. Still a good answer. – H H Nov 29 '11 at 21:34
  • @HenkHolterman Actually, it answers the concerns in the body without addressing them. I'll edit to be more clear. – Randolpho Nov 29 '11 at 21:35
1

it seems like there is a possibility of sensitive data being stored on disk in temp files.

That could happen, on either the Server or the Client.
But your data will be present, unencrypted, on both ends anyway.

So you really have to re-think what security means here. What kind of attack(s) do you want to protect against?

H H
  • 263,252
  • 30
  • 330
  • 514
  • The specific requirement I'm looking to satisfy is "make sure no sensitive data is written to disk [on the machine on which the process doing the xml generation and sending is running]" –  Nov 29 '11 at 21:28
  • That's an event, not an attack. – H H Nov 29 '11 at 21:32
  • @Jordan: the data won't be in the serialization assemblies. – Joe Nov 29 '11 at 21:37
  • @Jordan I don't think any Serializer needs/uses temp-files. But any Admin (PowerUser) could find your data in the Swap file. – H H Nov 29 '11 at 21:43