 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2006Best way to prevent abuse of Webservice
Hi, I use JavaScript to call WebMethods and have asynchronous feedback (I use Atlas for this). While this works just fine, now everybody could write his own html/javascript client and use my WebMethods! I know I can secure Webservices, but I don't want my website's users to be required to login. Is there any way, I can verify, that the webservice is called from a client who comes from my website? If I store a special value in the session and look for it in the web method. Would that be save? I'd say there's no way of making your web service secure from other sources because it's a publicly accessible beast (it has to be because client browsers hit it directly). What are you trying to protect it against? If it's your data/service being misused then I suspect you need to worry about your website in much the same way as it's very easy to scrape a website for data these days. If you're trying to protect your web service from some inherently exposed vulnerability then you need to make sure that no vulnerabilities are exposed and that your service is just as tight as you'd make your web pages. Josh http://www.thejoyofcode.com/ Thanks for your reply! Josh Twist schrieb: > I'd say there's no way of making your web service secure from other > sources because it's a publicly accessible beast (it has to be because > client browsers hit it directly). Hm...I thought so - but that would mean, that every ajax-application (that can be accessed by an anonymous user) could be 'hijacked'! Isn't this bad? :-0 > What are you trying to protect it against? If it's your data/service > being misused then I suspect you need to worry about your website in > much the same way as it's very easy to scrape a website for data these > days. Yes, I worry about my data and service being misused... Best Regards! >Hm...I thought so - but that would mean, that every ajax-application >(that can be accessed by an anonymous user) could be 'hijacked'! Isn't >this bad? :-0 Not necessarily - they shouldn't be able to do anything more than they can with your website! Remember - 'they' (the baddies) could just as easily abuse your website - can you protect against this? not easily. If you store a 'special key' in the HTML - how hard would it be for me to write a HttpWebRequest that requested your source and parsed it to find the key - then hit the service directly? Josh http://www.thejoyofcode.com/ Here's a great article. WSE 2.0 has some great integration for securing webservices. http://www.devx.com/security/Article/18207/0/page/1 - John Fullmer > If I store a special value in the session and look for it in the web > method. Would that be save? To clarify this: The server generates an id, saves it somewhere and passes it on to the client when he loads the page. Now the client passes this value every time he calls a webservice. The webservice compares this value to the value he has stored. The stored value expires after some time. Would this work? Is this secure? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.