This saves the attacker from having to write complex attack tools. Figure 5-2 shows the
documentation page for a simple web service method that echoes the echoString
parameter back to the user.
Figure 5-2 Documentation page for a simple web service method
134 Hacking Exposed Web 2.0
Disable Web Service Documentation Generation
To prevent automatic disclosing documentation information about your web service,
you may edit the web service??™s Web.Config file. When documentation is disabled, attacker??™s
will no longer be able to download a WSDL describing your web service, nor
will they be able to use the automatically generated Asp.Net service interface. To do this,
add the following to the System.Web portion of the web service??™s Web.Config:
Note, that disabling documentation requires that you manually distribute a WSDL
file or web service description to any user who wishes to call your web service. If attackers
can guess which methods are available on your service they will still be able to make
requests. So, hiding documentation should be considered an obfuscation mechanism and
not a significant hurdle to a determined attacker.
Pages:
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264