 |
 |
| Recent
Articles |
Capabilities Of Sybase SqlAnywhere With .NET...
.NET developers can add the powerful capabilities of SQL Anywhere to their applications by using .NET programming interfaces and web services. SQL Anywhere Studio makes the most of the services provided by .NET to let developers add its capabilities to their...
Customer-Lead, Trust-based Value Generation Services
This article explains how an enterprise can leverage increased value generation, thereby aiding competitive advantage, by adoption of the `Enterprise Value Generation Service Orientated Architecture...
Web Services, Contracts And Copyright
What's the Deal With Contracts, Copyright and Web Related Services? If you're the client, make sure you include the following steps when hiring a service provider to ensure you don't get involved in a mess like a copyright or legal battle, no matter how much you...
Should Google Offer Its Own Services As A Tip?
I have been watching the latest spat against Google for offering "tips" on services and products that they offer, when some web searches are input into Google. The interesting part about this is that I don't know...
What Is A Portal?
Among other things, a post today by my friend Scott Karp over at Publishing 2.0 has helped crystallized for me just how inadequate a lot of the terminology is that we're using for Web services and communities - and not just the obvious kind of cringe-inducing terms like...
SaaS: The Death Knell For Corporate IT?
The Enterprise Irregulars clubhouse is all abuzz these days about SaaS (Software as a Service, aka on-demand, utility, cloud, utility/cloud computing in a multitenant environment, whatever) and whether it will...
Use The SoapDocumentMethod Attribute To...
I've done a lot of web services during the last couple of years and I simply love Service Oriented Architecture using SOAP. The power of using services as a means to create large connected systems are enormous...
SOASTA Founder Talks SOA And Services
Ken Gardner is founder and Executive Chairman of SOASTA, a privately-held technology company focused on developing visual software tools for the testing, certification, and demonstration of SOA-based systems. The company's product line allows business...
Web Services Overtakes Security
Coverage of the Society of Information Management's annual SIMposium conference reveals that Web services technology has eclipsed security as the top focus for senior IT executives. Analysts cite the recent boom...
|
|
03.16.07
WDSL & Webresource.axd
 By Dan Morrill
Various WDSL (Web Service Description Language) entities exist in a web server.
The file is meant to describe what services are available and what the expected inputs are for those services. Dot Net 2.0 assemblies use the webresource.axd as a means of providing a resource map for the entire web server, and as a way to determine what inputs are expected and what inputs are used by the web server to attach to what resources.
Simply the file is a handy file for the developer and consumer of information on the web server because the file explicitly states the resources and how they bind to various inputs and outputs from the system.
For the hacker this file if not secured provides a road map to the entire backend resource guide much like a road map of how the entire system is put together.
MSDN Blogs sums up some of the mapping in the webresource.axd file:
Making a direct call to the resources can prompt the server to send to you the entire reference file involved.
W3.org describes the entire WSDL service as:
A WSDL 2.0 service description indicates how potential clients are intended to interact with the described service. It represents an assertion that the described service fully implements and conforms to what the WSDL 2.0 document describes. For example, as further explained in section 6.1.1 Mandatory extensions, if the WSDL 2.0 document specifies a particular optional extension, the functionality implied by that extension is only optional to the client. It must be supported by the Web service.
A WSDL 2.0 interface describes potential interaction with a service--not required interaction. The declaration of an operation in a WSDL 2.0 interface is not an assertion that the interaction described by the operation must occur. Rather it is an assertion that if such an interaction is (somehow) initiated, then the declared operation describes how that interaction is intended to occur. Source: w3.org
WSDL Scanning and pulling the web XML schema for resources that the system expects is both good and liability for the web server. Ajax and Atlas can both use the WDSL or similar concepts as a manifest for the entire web service in a web 2.0 application, and should use them. However, the information that is given up is also of use to the hacker.
Depending on how the URL is processed, systems like URL scan, or bleeding edge snort rules, or even just monitoring and baseline how the WDSL manifest files are used will help security people understand how the file is used, and then work out suitable risk management and risk assessment techniques for people trying to access the file directly, or components within the file separately.
The file has to be used by the web service so that it can function, but keeping tabs on this file, and similar files is equally important to make sure they are not misused. Limiting access, watching use, developing security parameters around the file will help in minimizing the problems that any system manifest in the web 2.0 world can cause. Needed and necessary, and should be monitored.
Inspiration for this article provided by:
• http://www.nikhilk.net/WebResourceAttribute.aspx
• http://blogs.msdn.com/jorman/archive/2006/01/23/debug-
javascript-generated-by-webresource-axd.aspx
• http://www.w3.org/TR/wsdl20/
• http://www.auditmypc.com/acronym/WSDL.asp
• http://www.net-security.org/article.php?id=949&p=3
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
