WCF is a distributed programming platform based on SOAP messages.
Using WCF, you can create applications that function as both services and service clients, creating and processing messages from an unlimited number of other services and clients. In such a distributed application, messages can flow from node to node, through firewalls, onto the Internet, and through numerous SOAP intermediaries.
This introduces a variety of message security threats.
The following examples illustrate some common threats that WCF security can help mitigate when exchanging messages between entities:
Using WCF, you can create applications that function as both services and service clients, creating and processing messages from an unlimited number of other services and clients. In such a distributed application, messages can flow from node to node, through firewalls, onto the Internet, and through numerous SOAP intermediaries.
This introduces a variety of message security threats.
The following examples illustrate some common threats that WCF security can help mitigate when exchanging messages between entities:
- Observation of network traffic to obtain sensitive information. For example, in an online-banking scenario, a client requests the transfer of funds from one account to another. A malicious user intercepts the message and, having the account number and password, later performs a transfer of funds from the compromised account.
- Rogue entities acting as services without awareness of the client. In this scenario, a malicious user (the rogue) acts as an online service and intercepts messages from the client to obtain sensitive information. Then the rogue uses the stolen data to transfer funds from the compromised account. This attack is also known a phishing attack.
- Alteration of messages to obtain a different result than the caller intended. For example, altering the account number to which a deposit is made allows the funds to go to a rogue account.
- Hacker replays in which a nuisance hacker replays the same purchase order. For example, an online bookstore receives hundreds of orders and sends the books to a customer who has not ordered them.
- Inability of a service to authenticate a client. In this case, the service cannot assure that the appropriate person performed the transaction.
- Service endpoint (respondent) authentication.
- Client principal (initiator) authentication.
- Message integrity.
- Message confidentiality.
- Replay detection.
Nice post...helpful
ReplyDelete