0

I am architecting a project which uses jQuery to communicate with a single web service hosted inside sharepoint (this point is possibly moot but I include it for background, and to emphasize that session state is not good in a multiple front end environment).

The web services are ASP.Net ASMX services which return a JSON model, which is then mapped to the UI using Knockout. To save the form, the converse is true - JSON model is sent back to the service and persisted.

The client has unveiled a requirement for confidentiality of the data being sent to and from the server:

  1. There is data which should only be sent from the client to the server.
  2. There is data which should only appear in specific views (solvable using ViewModels so not too concerned about this one)
  3. The data should be immune from classic playback attacks.

Short of building proprietary security, what is the best way to secure the web service, and are there any other libraries I should be looking at to assist me - either in JavaScript, or .Net

Darbio
  • 11,286
  • 12
  • 60
  • 100

1 Answers1

1

I'll post this as an answer...for the possibility of points :)...but I don't know that you could easily say there is a "right way" to do this.

The communications sent to the service should of course be https. That limits the man-in-the-middle attack. I always check to see that the sending client's IP is the same as the IP address in the host header. That can be spoofed, but it makes it a bit more annoying :). Also, I timestamp all of my JSON before send on the client, then make sure it's within X seconds on the server. That helps to prevent playback attacks.

Obviously JavaScript is insecure, and you always need to keep that in mind.

Hopefully that gives you a tiny bit of insight. I'm writing a blog post about this pattern I've been using. It could be helpful for you, but it's not done :(. I'll post a link sometime tonight or tomorrow.

farina
  • 3,486
  • 6
  • 32
  • 44