Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > WSDL and SQL Injection Attacks

Reply
Thread Tools

WSDL and SQL Injection Attacks

 
 
steve813
Guest
Posts: n/a
 
      11-29-2006
Hello everyone,

I am working on a web service which has to go through a security
review. My problem is the default Web Service Helper Page (the one
generated by Visual Studio) does not guard against SQL Injection
attacks. They added parameters to URL like:

https://server.company.com/Services/...ce.asmx?WSDL=\'
https://server.company.com/Services/...ice.asmx?WSDL='
https://server.company.com/Services/...ce.asmx?WSDL=;

All of these modifications to the URL results in a page error with no
handling which results in a poor coding error on the page generated by
Visual Studio.

So, I implemented wsdlHelpGenerator to give a generic page but the
security folks now say there's no code... Ahhhhh!!! How can I
update the default Web Service Helper Page (the one generated by Visual
Studio) to protect it against SQL Injection attacks? I have a class to
find these attacks in my code but I have no idea how to protect the
WSDL= from an attack.


Thank you,
Steve

 
Reply With Quote
 
 
 
 
John Saunders
Guest
Posts: n/a
 
      11-30-2006
"steve813" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hello everyone,
>
> I am working on a web service which has to go through a security
> review. My problem is the default Web Service Helper Page (the one
> generated by Visual Studio) does not guard against SQL Injection
> attacks.


If security is a concern, then remove the helper page! It's not really
something meant for production deployment.

John


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Recent round of SQL injection attacks Dave Anderson ASP General 1 07-02-2008 07:35 PM
Documentation Patch: Preventing XPath Injection attacks Ken Bloom Ruby 5 04-30-2008 02:08 PM
Creative SQL injection attacks Lawrence D'Oliveiro NZ Computing 0 04-30-2008 12:05 AM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments