0

A web server running a ASP.NET web service. To use the web service you must go to http://example.com/UtilServerComp/getCashNow7899.asmx

Adding ?WSDL is possible to get service description.

I assume that without knowledge of the URL and exact name of the .asmx this page will not be found or am I wrong? Crawling the web site will not work since you have to guess the name getCashNow7899 as well as UtilServerComp and that is not very likely...

AstroCB
  • 12,337
  • 20
  • 57
  • 73

2 Answers2

3

It is rather unlikely that someone will find out your service without knowing the name. Also remember that you can switch off the documentation protocol:

<webServices>
   <protocols>       
       <remove name="Documentation"/>
   </protocols>   
</webServices>

However, if you deploy any application that uses the service, the client could use an http debugger to sniff the traffic and learn the exact address and the exposed interface.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • @user1298720 It's basic, but deserves mentioning, to also ensure you have Directory Browsing disabled on the IIS host. – Mike Guthrie Mar 28 '12 at 17:11
0

Why it's a bad idea to rely simply on having a service hidden.

Jordan
  • 2,708
  • 4
  • 22
  • 35