Net after attacker submits malicious content.
Chapter 5: .Net Security 133
When attacking .Net applications, the attacker will look for references to ASMX files
on the web server. These references are more common in Web 2.0 applications that are
exposing AJAX web service methods. If the attacker identifies a reference to an ASMX
file, she is often able to retrieve information about the web service by making a request
of the form http://
/webservice.asmx?WSDL or referencing the ASMX page
directly. If documentation for the web service is enabled, which is the default setting,
then ASP.Net will gladly return a Web Services Description Language (WSDL) file
containing a complete description of the web service, including the methods available
and the types of the parameters that the web service expects. This is gold for attackers. It
is a common occurrence that web service interfaces will not be as well protected as web
interfaces since their interface is either not as well understood or is not assumed that
developers will attack the web service interface directly.
If the web service methods use only .Net simple types, then ASP.Net will provide a
sample request form that allows users to call the methods directly from the web browser.
Pages:
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263