Risks of AJAX calls to ASMX
-
09-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
Currently working on an ajax call to an ASP web service (.asmx).
In a situation where I POST to the url/.asmx/WebMethod, am I exposing information of any kind?
In the 'WebMethod' I am running a PostJsonAsync that calls an API and passes along a json string.
As I am still learning, I've been told that calling any public [WebMethod] exposes the code, but I am not sure how that is possible.
Is it possible at all for a user to access the WebMethod server-side code that I have and peek into the API calls that are available?
I've attempted some minor security methods.. We are working with Sitefinity CMS. What I did was call a WebMethod that receives the CurrentUserIdentity and returns a GUID. If the current user is logged in, it returns a valid Guid, if not it returns a Guid full of zeros.
Then, I call the WebMethod containing my API call and post a json object along with the valid or invalid GUID. The server-side WebMethod code will then verify if the GUID is valid and continues based on if a UserProfile can be generated.
To me, this seems to be secure, but I've been told that this still leaves the WebMethod exposed as well as the API. I am however just not understanding what is exposed and what can be used.
If anybody can direct me to any resources that has more information on this, or if anybody can advise me on WebService security, I would appreciate it.
Thanks in advance.
المحلول
no, there is no difference between calling an ASMX web service vs. any other kind of web service. The code on the server is not exposed because .cs files are by default not served by Asp.Net, or the code for the ASMX is compiled into an assembly in the bin folder, depending on the type of project (Web Site vs. Web Project) deployed. It may be possible to discover what other calls are available on your web service depending on how things are configured, but this alone is not a security threat as it would be trivial to discover that anyway (since HTTP traffic can be intercepted). You should be sure that you're using HTTPS to call the service though to protect the data while its in transit.
