0

I have WCF service coded using visual studio and C# that contains one method

public interface IMyService
{
    [OperationContract]
    SendDataResponse SendData(SendDataRequest Request);
}

the data contact for this method includes

[DataContract]
    public class SendDataRequest{
        [DataMember]
        public int ID { get; set; }
        [DataMember]
        public String Name { get; set; }
    }
    [DataContract]
    public class SendDataResponse
    {
        [DataMember]
        public int Code { get; set; }
        [DataMember]
        public String Message { get; set; }
    }

the binding for this service is custom binding with these options

 <binding name="CustomSoapBinding">
               <security includeTimestamp="false"
                         authenticationMode="UserNameOverTransport"
                         defaultAlgorithmSuite="Basic256Sha256"
                         keyEntropyMode="ServerEntropy"
                         messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                         requireDerivedKeys="true"
                         requireSignatureConfirmation="true"
                         messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
               </security>
               <textMessageEncoding messageVersion="Soap11">
                   <readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="2147483646" maxBytesPerRead="4096" maxNameTableCharCount="5242880"/>
               </textMessageEncoding>   
               <httpsTransport    maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000" />
           </binding>

I can test using SoapUI without any problem , The soap message is

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tah="http://schemas.datacontract.org/2004/07/Tahseel.LoaderWcfService" xmlns:tem="http://tempuri.org/">
   <soapenv:Header/>
   <soapenv:Body>
      <tem:SendData>
         <tem:Request>
            <tah:ID>123</tah:ID>
            <tah:Name>Test</tah:Name>
         </tem:Request>
      </tem:SendData>
   </soapenv:Body>
</soapenv:Envelope>

now the problem when the untrusted soap message contain any vulnerable text received via the endpoint the service will receive and start deserialize before validate it that may cause security attack to the system .

how to prevent deserializing untrusted user input?

MHassan
  • 415
  • 4
  • 9
  • You can [use username client-side message security](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-user-name-client), and the client authenticates with a username and password.([Security Considerations for Data](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/security-considerations-for-data)) – Lan Huang Jun 01 '22 at 02:41
  • https://security.stackexchange.com/questions/13490/is-it-safe-to-binary-deserialize-user-provided-data and https://stackoverflow.com/a/54993936/17218587 – Lan Huang Jun 01 '22 at 02:44
  • @LanHuang use name over message is there and valid but task is to built-in deserialization before validate the soap signature and make sure that it is safe and contain valunrablity – MHassan Jun 01 '22 at 09:24

0 Answers0