WSDL and SQL Injection Attacks

Discussion in 'ASP .Net Web Services' started by steve813, Nov 29, 2006.

  1. steve813

    steve813 Guest

    Hello everyone,

    I am working on a web service which has to go through a security
    review. My problem is the default Web Service Helper Page (the one
    generated by Visual Studio) does not guard against SQL Injection
    attacks. They added parameters to URL like:

    https://server.company.com/Services/myService/Service.asmx?WSDL=\'
    https://server.company.com/Services/myService/Service.asmx?WSDL='
    https://server.company.com/Services/myService/Service.asmx?WSDL=;

    All of these modifications to the URL results in a page error with no
    handling which results in a poor coding error on the page generated by
    Visual Studio.

    So, I implemented wsdlHelpGenerator to give a generic page but the
    security folks now say there's no code... Ahhhhh!!! How can I
    update the default Web Service Helper Page (the one generated by Visual
    Studio) to protect it against SQL Injection attacks? I have a class to
    find these attacks in my code but I have no idea how to protect the
    WSDL= from an attack.


    Thank you,
    Steve
    steve813, Nov 29, 2006
    #1
    1. Advertising

  2. "steve813" <> wrote in message
    news:...
    > Hello everyone,
    >
    > I am working on a web service which has to go through a security
    > review. My problem is the default Web Service Helper Page (the one
    > generated by Visual Studio) does not guard against SQL Injection
    > attacks.


    If security is a concern, then remove the helper page! It's not really
    something meant for production deployment.

    John
    John Saunders, Nov 30, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    396
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,614
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. Replies:
    44
    Views:
    4,015
    Lee Fesperman
    Mar 16, 2005
  4. Dave Anderson

    Recent round of SQL injection attacks

    Dave Anderson, Jul 2, 2008, in forum: ASP General
    Replies:
    1
    Views:
    125
    Bob Barrows [MVP]
    Jul 2, 2008
  5. Ken Bloom
    Replies:
    5
    Views:
    193
    Ken Bloom
    Apr 30, 2008
Loading...

Share This Page