|
WDSL & Webresource.axd
By Dan Morrill
Expert Author
Article Date: 2007-03-13
Various WDSL (Web Service Description Language) entities exist in a web server.
The file is meant to describe what services are available and what the expected inputs are for those services. Dot Net 2.0 assemblies use the webresource.axd as a means of providing a resource map for the entire web server, and as a way to determine what inputs are expected and what inputs are used by the web server to attach to what resources.
Simply the file is a handy file for the developer and consumer of information on the web server because the file explicitly states the resources and how they bind to various inputs and outputs from the system.
For the hacker this file if not secured provides a road map to the entire backend resource guide much like a road map of how the entire system is put together.
MSDN Blogs sums up some of the mapping in the webresource.axd file:
src="http://blogs.msdn.com/myapp/WebResource.axd?d=oTrMXXyr9lkT4MbMovPbCw2&t=632681794331014707
mce_src="http://blogs.msdn.com/myapp/WebResource.axd?d=oTrMXXyr9lkT4MbMovPbCw2&t=632681794331014707" type="text/javascript
Making a direct call to the resources can prompt the server to send to you the entire reference file involved.
W3.org describes the entire WSDL service as: A WSDL 2.0 service description indicates how potential clients are intended to interact with the described service. It represents an assertion that the described service fully implements and conforms to what the WSDL 2.0 document describes. For example, as further explained in section 6.1.1 Mandatory extensions, if the WSDL 2.0 document specifies a particular optional extension, the functionality implied by that extension is only optional to the client. It must be supported by the Web service.
A WSDL 2.0 interface describes potential interaction with a service--not required interaction. The declaration of an operation in a WSDL 2.0 interface is not an assertion that the interaction described by the operation must occur. Rather it is an assertion that if such an interaction is (somehow) initiated, then the declared operation describes how that interaction is intended to occur. Source: w3.org WSDL Scanning and pulling the web XML schema for resources that the system expects is both good and liability for the web server. Ajax and Atlas can both use the WDSL or similar concepts as a manifest for the entire web service in a web 2.0 application, and should use them. However, the information that is given up is also of use to the hacker.
Depending on how the URL is processed, systems like URL scan, or bleeding edge snort rules, or even just monitoring and baseline how the WDSL manifest files are used will help security people understand how the file is used, and then work out suitable risk management and risk assessment techniques for people trying to access the file directly, or components within the file separately.
The file has to be used by the web service so that it can function, but keeping tabs on this file, and similar files is equally important to make sure they are not misused. Limiting access, watching use, developing security parameters around the file will help in minimizing the problems that any system manifest in the web 2.0 world can cause. Needed and necessary, and should be monitored.
Inspiration for this article provided by:
http://www.nikhilk.net/WebResourceAttribute.aspx
http://blogs.msdn.com/jorman/archive/2006/01/23/debug-javascript-generated-by-webresource-axd.aspx
http://www.w3.org/TR/wsdl20/
http://www.auditmypc.com/acronym/WSDL.asp
http://www.net-security.org/article.php?id=949&p=3
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
