WCF Vulnerability Testing
This article explains about the vulnerability testing of WCF service.
All previous articles are explains about the development of WCF service and its concepts
Now we need to check whatever developed is right from testing perspective. As a developer we always focus of developing a web service, QA will perform functional testing and it will be deployed in production after QA signoff.
While testing the Web service following testing has to be performed and pass before release. These are main core testing to find vulnerability in web service deployment.
Open Web Application Security Project - (OWASP) provides guidelines to test vulnerability in web application development.
| Ref. Number |
Test Name |
Vulnerability |
| OWASP-WS-001 |
WS Information Gathering |
Information Disclosure-Unnecessary to expose the wsdl |
| OWASP-WS-002 |
Testing WSDL |
Information Disclosure |
| OWASP-WS-003 |
XML Structural Testing |
Weak XML Structure or improper xml node |
| OWASP-WS-004 |
XML content-level Testing |
XML content-level - SQL injection/xpath injection, buffer overflow, command injection |
| OWASP-WS-005 |
HTTP GET parameters/REST Testing |
WS HTTP GET parameters/REST - SQL injection |
| OWASP-WS-006 |
Naughty SOAP attachments |
WS Naughty SOAP attachments -malware as an attachment |
| OWASP-WS-007 |
Replay Testing |
WS Replay Testing |
Tips!
- Always create the service with Interface->Implementation format, mention the contract in Interface.
- Define the service in Class library and refer the class library in Host project. Don’t use service class in host project.
- Change the instance mode to per call as default.
- Always catch exception using try/catch block and throw exception using FaultException < T >.
- Logging and Include exception should be enable while compiling the project in debug mode. While in production deployment disable the logging and Include exception details.
|