Exposed web services
Need
Protection of sensitive information in WSDL files from unauthorized access
Context
- Usage of C# for building robust and scalable applications
- Usage of System for system-level operations and interactions
- Usage of System.ServiceModel for building and consuming WCF (Windows Communication Foundation) services
- Usage of System.ServiceModel.Description for describing and configuring WCF service endpoints
Description
Non compliant code
using System;
using System.ServiceModel;
using System.ServiceModel.Description;
public class SensitiveWebService
{
public static void Main()
{
Uri baseAddress = new Uri("http://localhost:8000/ExposedService/");
using (ServiceHost host = new ServiceHost(typeof(ExposedService), baseAddress))
{
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.MetadataExporter.PolicyVersion = PolicyVersion.Policy15;
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("The service is ready at {0}", baseAddress);
Console.WriteLine("Press <Enter> to stop the service.");
Console.ReadLine();
}
}
}
The above code is a simple web service in C# using the Windows Communication Foundation (WCF). The service is hosted at http://localhost:8000/ExposedService/. The ServiceMetadataBehavior object smb is used to enable HTTP GET requests and to set the policy version.
The vulnerability here is that the service metadata, including the Web Services Description Language (WSDL) document, is exposed to HTTP GET requests. This means that anyone who can access the service URL can also access the service metadata, potentially revealing sensitive information about the service, such as the methods it exposes, the data types it uses, and any custom behaviors it implements.
This is a clear violation of the principle of least privilege, which states that a user or a service should have only the minimum privileges necessary to perform its function. In this case, the service is giving away more information than necessary to users who may not need it, and may even misuse it.
To fix this vulnerability, the service should restrict access to its metadata to only those users or services that actually need it. This could be done, for example, by requiring authentication to access the metadata, or by disabling HTTP GET requests for the metadata entirely.
Steps
- Remove the unnecessary exposure of the WSDL file.
- Disable the HTTP GET endpoint for retrieving the WSDL file.
- Restrict access to the WSDL file to only authorized users or systems.
- Consider using authentication and authorization mechanisms to control access to the WSDL file.
- Regularly review and update the security configurations of the web service.
Compliant code
using System;
using System.ServiceModel;
using System.ServiceModel.Description;
public class SensitiveWebService
{
public static void Main()
{
Uri baseAddress = new Uri("http://localhost:8000/ExposedService/");
using (ServiceHost host = new ServiceHost(typeof(ExposedService), baseAddress))
{
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = false; // Disable HTTP GET for WSDL
smb.MetadataExporter.PolicyVersion = PolicyVersion.Policy15;
host.Description.Behaviors.Add(smb);
host.Authorization.ServiceAuthorizationManager = new CustomAuthorizationManager(); // Add custom authorization
host.Open();
Console.WriteLine("The service is ready at {0}", baseAddress);
Console.WriteLine("Press <Enter> to stop the service.");
Console.ReadLine();
}
}
}
public class CustomAuthorizationManager : ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
// Implement your custom authorization logic here
return base.CheckAccessCore(operationContext);
}
}
The updated code includes several changes to address the vulnerability of the exposed WSDL file.
Firstly, the HttpGetEnabled property of the ServiceMetadataBehavior object is set to false. This disables the HTTP GET endpoint for retrieving the WSDL file, preventing unauthorized access.
Secondly, a custom ServiceAuthorizationManager is added to the ServiceHost object. This allows for the implementation of custom authorization logic to control access to the WSDL file. The CheckAccessCore method should be overridden in the CustomAuthorizationManager class to implement the desired authorization mechanism.
These changes ensure that the WSDL file is not unnecessarily exposed and that access is restricted to only authorized users or systems. Regular reviews and updates of the security configurations of the web service are also recommended to maintain the security of the system.