Web service security - Threats and Countermeasures - Part 3 : Message Validation

Threats

• Message data may be malformed for malicious intentions such as injection attacks

Vulnerabilities

• XML serialization helps validate some data types as XML data from the message is transformed into .Net data types – but this does not prevent against malicious content within a string being used for XML or SQL injection attacks etc.
• Client side validation cannot be trusted by a service

Countermeasures

• Assume that all input data is malicious until proven otherwise, and use message validation to protect against input attacks, such as SQL injection, buffer overflows, and other types of attacks.
• See the Message Validation Design Pattern for a detailed analysis of detecting replayed web service messages:
  • https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch5_MsgVal.asp?frame=true  
• See the Implementing Message Replay Detection Design Pattern for information on how to implement this pattern using Microsoft WSE 3.0
  • https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch5_ImpMsgVal_WSE30.asp?frame=true  
• We also have a quickstart for this pattern available on our GotDotNet workspace - see https://practices.gotdotnet.com/projects/sopatterns