3

I was recently asked by a security team if it was possible to change the message returned from deserialization issues within a WCF service. The error in question was when they intercepted the message and passed an integer that was outside the bounds of Int32.

The value '2147483649' cannot be parsed as the type 'Int32'.

My answer was that the deserialization process occurs before a single line of my service is executed and that it is not possible. However, is it possible to achieve this goal?

Community
  • 1
  • 1
Tom Fobear
  • 6,729
  • 7
  • 42
  • 74

1 Answers1

5

It sounds like you have includeExceptionDetailInFaults="true". True is the default value that should be set to false before you do a production deploy. Once this is false you will get a generic error message. That should be enough to make security happy.

An even better option is to implement an IErrorHandler. That's the extension point that allow you to handle the exception, even though it happens before execution reaches your service code.

ErnieL
  • 5,773
  • 1
  • 23
  • 27