Geek Answers Handbook

How to protect an ASMX public page that sends sensitive data to my database

I have a website under development with several web services (ASMX) that send important data to my database. When I go to the ASMX file in my browser, I can fill out the form with the parameters and send it to the database. If someone finds the URL of my WS, he can greatly change my database. I want people to not be able to publish on WS WS. So far I have been thinking about two things that might help, but I would like to know if there are other ways:

  • Check if the HTTP-Referrer is the WS method of the domain where WS is located
  • Add an additional Key parameter to all important WS methods and this will be an encrypted "password". Then encrypt my saved password on the WS side and compare if the keys match.

If there are any other recommendations or methods that I can use to protect my WS, please share!

+4
source share
3 answers

The easiest way is to simply disable this test page. You can do this by adding the following to your web.config of your web service:

<webServices> <protocols > <remove name="HttpGet"/> <remove name="HttpPost"/> <remove name="HttpPostLocalhost"/> </protocols>

There's also a decent article on other ways to protect your web service, including adding authentication to the soap header.

+1
source

Some of them may be useful for you:

Also note that the test web page (which shows tetboxes examples) should only be accessible from the local machine, if it is viewable from other computers, there is probably a configuration problem.

+6
source

If the referrer is in the same domain, then an easy way would be to set a cookie on the link page and then check for the presence of a cookie in ASMX (plus any other checks you want to implement). Please note that the domain must be the same, otherwise this method will not work.

+1
source

More articles:


All Articles