WCF Tutorial
www.Learn2Expert.net A new ASP.Net MVC 4, SSIS, Interview Q/A tutorial - Visit - www.Learn2Expert.net
Skip Navigation LinksHomeWCF Vulnerability Testing No of Views: 27372
WCF Tutorial | WCF Vulnerability Testing

WCF Vulnerability Testing

This article explains about the vulnerability testing of WCF service.

All previous articles are explains about the development of WCF service and its concepts

Now we need to check whatever developed is right from testing perspective. As a developer we always focus of developing a web service, QA will perform functional testing and it will be deployed in production after QA signoff.

While testing the Web service following testing has to be performed and pass before release. These are main core testing to find vulnerability in web service deployment.

Open Web Application Security Project - (OWASP) provides guidelines to test vulnerability in web application development.

Ref. Number Test Name Vulnerability
OWASP-WS-001 WS Information Gathering Information Disclosure-Unnecessary to expose the wsdl
OWASP-WS-002 Testing WSDL Information Disclosure
OWASP-WS-003 XML Structural Testing Weak XML Structure or improper xml node
OWASP-WS-004 XML content-level Testing XML content-level - SQL injection/xpath injection, buffer overflow, command injection
OWASP-WS-005 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST - SQL injection
OWASP-WS-006 Naughty SOAP attachments WS Naughty SOAP attachments -malware as an attachment
OWASP-WS-007 Replay Testing WS Replay Testing

Tips!

  • Always create the service with Interface->Implementation format, mention the contract in Interface.
  • Define the service in Class library and refer the class library in Host project. Don’t use service class in host project.
  • Change the instance mode to per call as default.
  • Always catch exception using try/catch block and throw exception using FaultException < T >.
  • Logging and Include exception should be enable while compiling the project in debug mode. While in production deployment disable the logging and Include exception details.