AN
Uploaded byAmit Narula
PDF, PPTX253 views

Wcf Overview

WCF Basics and Security overview WCF Overview. WCF security model. Attacks and countermeasures. (If Time Permits) WCF exposes endpoints for clients and services to exchange messages. WCF uses addresses, bindings and contracts (ABC model). Bindings specify protocols, encodings and security. The security model includes transfer security modes (none, transport, message, mixed, both) and credentials (Windows, username/password, certificates, tokens). Common attacks include information disclosure, elevation of privilege, denial of service, and tampering. Countermeasures include configuration, authorization and message inspection.

Embed presentation

Download as PDF, PPTX
WCF Basics and Security overview Yaron Hakon Application Security Consultant 2Bsecure yaron@2bsecure.co.il WCFWCF Agenda.Agenda. •• WCF Overview.WCF Overview. • WCF Security model. • Attacks and countermeasures. (If Time Permits)
WCF is.WCF is. • WCF services expose endpoints that clients and services use to exchange messages. Call CenterCall Center Asp.netAsp.net AppApp MOBILE EMPLOYEESMOBILE EMPLOYEES -- JAVAJAVA CUSTOMERSCUSTOMERS -- ApplicationApplication VARIOUS PLATFORMSVARIOUS PLATFORMS The Imperative to ConnectThe Imperative to Connect J2EE APP SERVER J2E APP OTHERS .NET framework ExistingExisting J2EE ApplicationJ2EE ApplicationMOBILEMOBILE EMPLOYEE APPEMPLOYEE APP .NET framework IDM HTTPHTTP HTTPSHTTPSTCPTCPIPIP WSE .. .. .. ..WSE .. .. .. .. Enterprise Services
Windows Communication FoundationWindows Communication Foundation INTEROPERABILITY PRODUCTIVITY SERVICE-ORIENTED DEVELOPMENT • Unifies today’s distributed technologies • Visual Studio 2005 integration • loosely-coupled services • Config-based communication
WSWS--* Protocol Support* Protocol Support XMLXML MessagingMessaging SecuritySecurity TransactionsTransactionsReliableReliable MessagingMessaging MetadataMetadata WCFWCF –– A B CA B C •• A ServiceA Service EndpointEndpoint has anhas an AddressAddress, a, a BindingBinding, and a, and a ContractContract (ABC).(ABC). •• AnAn AddressAddress is a network address indicatesis a network address indicates wherewhere the service isthe service is located.located. •• AA BindingBinding specifiesspecifies howhow a client can communicate with thea client can communicate with the endpoint including transport protocol, encoding, and securityendpoint including transport protocol, encoding, and security requirements.requirements. •• AA ContractContract identifiesidentifies whatwhat operations are available to the clients.operations are available to the clients. ClientClient ServiceService AABBCC AddressAddress Where?Where? ContractContract What?What? BindingBinding How?How? CCBBAA CCBBAA CCBBAA
WCF Run Time WCFWCF –– Architecture & channel stackArchitecture & channel stack Configuration: Bindings: Protocol Encoding Transport Security Dispatcher Send incoming requestChannel Stack Service Interface Method A Method B WCF Service code .Net Assembly contract Data, Message, Service contracts …. Client Code Channel Stack Proxy Class A B Protocol Reliability Security Protocol Reliability Security C B A( address) Understanding Bindings optionUnderstanding Bindings option • Protocols: • Security, Reliable messaging capability, Transaction . • Encoding: • Xml Text, MTOM, Binary. • Transport: • TCP, HTTP/S, Name Pipes , Custom.
Binding Transport Encoding security transaction Interopera- BasicHttpBinding Https text None, Transport, Message, Mixed no WS-I WSHttpBinding Https textMTO M None, Transport, Message, Mixed yes WS-* WSDualHttpBinding Http textMTO M None, Message yes WS-* WSFederationBinding None, Message, Mixed yes WSF NetTcpBinding TCP Binary None, Transport, Message, Mixed no .NET NetPeerTcpBinding P2P Binary None, Message, Transport, Mixed yes Peer NetNamedPipeBinding IPC Binary None, Transport yes .NET NetMsmqBinding MSMQ Binary None, Message, Transport Both yes .NET MsmqIntegrationBinding MSMQ Binary None, Transport yes MSMQ Understanding Standard BindingsUnderstanding Standard Bindings System.ServiceModel namespace includes the fallowing predefined Bindings: 1.Building1.Building WindowsWindows CommunicationCommunication FoundationFoundation ServiceService
WCFWCF -- HostingHosting • User Application - Custom host app. • IIS host (WS). • Window service app. • + IIS version 7.0, - Windows Activation Services - WAS. • Configuration Sharing. • Application pool – Sandboxing • Support for non-HTTP transport protocols • Read more :http://msdn2.microsoft.com/en- us/library/ms733109.aspx Self Host.Self Host. • configure the endpoints… • Add endpoint information for the Web service in App.config . • Address (httphttps…. ) • Binding • Contract • create listener objects for each address. • listening for requests : productsServiceHost.Open(); Close()
IIS HostIIS Host • Project assemblies are built in the bin folder. • Add a service definition file – svc (name of the class that IIS will execute and the name of the assembly holding this class ). • Add endpoint information for the Web service in Web.config . • Address (iis and SVC address ) • Binding • Contract • Deploy the service in iis • Add new site for the service. 2.Building2.Building Self Host For WCFSelf Host For WCF ServiceService
3.Hosting WCF Service3.Hosting WCF Service in IISin IIS Consuming WCF ServiceConsuming WCF Service • Select preferred client. • Service Reference. • Configuration - ABC • Consume.
4.Consuming WCF service4.Consuming WCF service from console applicationfrom console application Good to knowGood to know • Multiple Service Endpoint. • Expose Service in different endPoint for different Clients. • Configuring Service Instance Context Modes: • [ServiceBehavior(InstanceContextMode = InstanceContextMode.PerSession)] • PerSession :open new session for etch client, close the session when client abort. • Default (max-10 connection) , Cant share data between service instance. • PerCall- create new instance etch time the client invokes an operation and the service close after the call finish. • Hard to implement state. • Single – open one instant of the service for all. • Open in the first time service call come. Close by the server. • Sharing Data between +- ? . • Using MSMQ and Transaction.
5.Consuming WCF service in5.Consuming WCF service in self host With 2 endpoint fromself host With 2 endpoint from different clients.different clients. console application &console application & ASP.netASP.net Agenda.Agenda. • WCF Overview. •• WCF Security model.WCF Security model. • Attacks and countermeasures. (If Time Permits)
security in every WCF operation callsecurity in every WCF operation call • Service contract • Operation contract- Fault contract • sc behavior- Client credentials, Service credentials.Client credentials, Service credentials. • Operation behavior • Host configuration • Method configuration and code • Proxy configuration • Binding configuration- [ServiceContract (ProtectionLevel = ProtectionLevel.Sign)] public interface IMyContract { [OperationContract] void SignMethod(…); } [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] void EncryptAndSignMethod(…); } [ServiceContract (ProtectionLevel = ProtectionLevel.Sign)] public interface IMyContract { [OperationContract] void SignMethod(…); } [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] void EncryptAndSignMethod(…); } Transfer security ConceptsTransfer security Concepts • Message integrity. • Tampering. • Message privacy. • Sensitive data. • Confidentiality. • mutual authentication. • Client server Authentication. • Replay attacks. • Denial of service attacks.
Transfer security modesTransfer security modes • None. • No client credentials are provided to the service. • Clear Text Messages over non secure Transport layer. • Transport security - integrity, privacy, and mutual authentication. • Secure transport protocols - https, tcp, ipc ,msmq. point-to-point, • all communication on the channel encrypted. • client's credentials are encrypted along with the rest of the message, • Message security- integrity, privacy, and mutual authentication. • encrypts the message itself. • end-to-end security. • communicate securely over nonsecure transports. • Mixed. • Transport security for message integrity , privacy & service authentication. • Message security for securing the client credentials. • point-to-point security. • Both - integrity, privacy, and mutual authentication. • both Transport security and Message security Explain the Mode scenarioExplain the Mode scenario -- TransportTransport • Encrypts the entire message • Sender must trust all intermediaries • Restricts protocols that can be used SSL SecuritySSL Security SSL SecuritySSL Security
Explain the Mode scenario MessageExplain the Mode scenario Message Security ContextSecurity Context •End to end message security independent of transport •Supports multiple protocols and multiple encryption technologies •Encrypt only parts of the message Transfer Security Mode • Bindings. Programmatically or Administratively. Binding None Transport Message Mixed Both BasicHttpBinding Y (default) Y Y Y N NetTcpBinding Y Y (default) Y Y N NetPeerTcpBinding Y Y (default) Y Y N NetNamedPipeBinding Y Y (default) N N N NetMsmqBinding Y Y (default) Y N Y WSHttpBinding Y Y Y (default) yes N WSFederationBinding Y N Y (default) yes N WSDualHttpBinding Y N Y (default) N N
Programmatically securing the basic binding BasicHttpBinding binding2 = new BasicHttpBinding( ); binding2.Security.Mode = BasicHttpSecurityMode.Message; Administratively securing the basic binding <bindings> <basicHttpBinding> <binding name = "SecuredBasic"> <security mode = "Message"> </security> </binding> </basicHttpBinding> </bindings>
••6. Use of transfer security6. Use of transfer security –– basicHttpBindingbasicHttpBinding -->>>> WSHttpBinding. WCF Trace view with Microsoft serviceWCF Trace view with Microsoft service Trace Viewer.Trace Viewer. Before and afterBefore and after Transport Security and CredentialsTransport Security and Credentials • WCF lets you select from a number of possible client credentials types. • NTLM or Kerberos • classic username and password. • Windows security token. • X509 certificate, • Anonymous.
Transport security client credentialsTransport security client credentials • WCF lets you select from a number of possible client credentials types. Binding None Windows UserName Certificate BasicHttpBinding Y (default) Y Y Y NetTcpBinding Y Y (default) N Y NetPeerTcpBinding N N Y (default) Y NetNamedPipeBinding N Y (default) N N NetMsmqBinding Y Y (default) Y N WSHttpBinding Y Y (default) Y Y WSFederationBinding N/A N/A N/A N/A WSDualHttpBinding N/A N/A N/A N/A Message Security and CredentialsMessage Security and Credentials • The same type of credentials as with Transport security. • + Issued token credential type. • http://msdn2.microsoft.com/en-us/library/ms731161.aspx
Message Security and CredentialsMessage Security and Credentials Binding None Windows UserName Certificate Token BasicHttpBinding N N N Y N NetTcpBinding Y Y (default) Y Y Y NetPeerTcpBinding N/A N/A N/A N/A N/A NetNamedPipeBinding N/A N/A N/A N/A N/A NetMsmqBinding Y Y (default) Y Y Y WSHttpBinding Y Y (default) Y Y Y WSFederationBinding N/A N/A N/A N/A N/A WSDualHttpBinding Y Y (default) Y Y Y AuthenticationAuthentication AuthorizationAuthorization • Authentication: • ASP.NET Membership Provider • Custom Username and Password Validator • Identity and Authentication • Authorization • Restrict Access With the PrincipalPermissionAttribute • ASP.NET Role Provider with a Service • ASP.NET Authorization Manager Role Provider with a Service • Claims and Authorization with the Identity Model • Delegation and Impersonation
••7.Implement Message security7.Implement Message security –– netTcpBinding. 8.Using X509 certificate unable https communication to service.- server authentication ••9.Implement Authorization9.Implement Authorization –– usingusing PrincipalPermission.
WCF Relevant AttacksWCF Relevant Attacks • Information Disclosure • Http Headers. Metadata , logs/exception . Authentication / Authorization • Elevation of Privilege • Check Authorization, Token Caches. • Denial of Service • Memory Consumption, max Secure Session. • Tampering • WS Addressing. • Replay Attacks • WS Addressing , transport security. ??
SummarySummary •• WCF Overview.WCF Overview. •• Unified existing technology .Unified existing technology . •• Standards wide support.Standards wide support. •• WCF Security model.WCF Security model. •• Security by default.Security by default. •• Can be done using configurationCan be done using configurationcode.code. •• CredentialsCredentials –– X509, SAML, Kerberos, Card Spaces, custom.X509, SAML, Kerberos, Card Spaces, custom. •• WCF countermeasures for common attack vectors.WCF countermeasures for common attack vectors. •• MissMiss -- configuration can lead to vulnerability exposureconfiguration can lead to vulnerability exposure .. •• Read more bout WCF Attacks from the references.Read more bout WCF Attacks from the references. ReferencesReferences • Books • Microsoft Windows Communication Foundation Step by StepbyJohn Sharp. • MSDN: • WCF Home - http://msdn2.microsoft.com/en- us/library/ms735119.aspx • Security programming - http://msdn2.microsoft.com/en- us/library/ms731925.aspx • Card space - http://cardspace.netfx3.com/ • Blogs • Message inspector - http://msmvps.com/blogs/paulomorgado/archive/2007/04/27 /wcf-building-an-http-user-agent-message-inspector.aspx • WCF Security - http://blogs.msdn.com/alikl/archive/2007/07/26/wcf-security- in-intranet-scenario-thoughts-on-cons-and-pros.as • User group. • UG Page: http://www.microsoft.com/israel/communities/usergroups/se curedev.mspx • UG Presentation Page: http://www.2bsecure.co.il/NetSecGroup.aspx
Thank you !Thank you ! Yaron Hakon Application Security Consultant 2Bsecure yaron@2bsecure.co.il

More Related Content

PDF
Webinar SSL English
bySSL247®
 
PDF
Taking Your Enterprise to the Next Level with WSO2 Message Broker and WSO2 En...
byWSO2
 
PDF
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
PPTX
Introduction to EMQ
byEMQ
 
PPTX
ops300 Week9 feedback
bytrayyoo
 
PDF
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
byMichael Man
 
PDF
Grizzly Comet Aquarium Paris
byAlexis Moussine-Pouchkine
 
PDF
Kubernetes networking - basics
byJuraj Hantak
 
Webinar SSL English
bySSL247®
 
Taking Your Enterprise to the Next Level with WSO2 Message Broker and WSO2 En...
byWSO2
 
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
Introduction to EMQ
byEMQ
 
ops300 Week9 feedback
bytrayyoo
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
byMichael Man
 
Grizzly Comet Aquarium Paris
byAlexis Moussine-Pouchkine
 
Kubernetes networking - basics
byJuraj Hantak
 

What's hot

PPTX
Advanced Tools and Techniques for Troubleshooting NetScaler Appliances
byDavid McGeough
 
PDF
Docker and Fargate
byShinji Miyazato
 
PPTX
Pub/Sub Messaging
byPeter Hanzlik
 
PPTX
Introduction to EMQ X Enterprise
byEMQ
 
PPTX
New Tools and Interfaces for Managing IBM MQ
byMatt Leming
 
PDF
Bridges and Tunnels a Drive Through OpenStack Networking
bymarkmcclain
 
PPTX
OWASP ZAP Workshop for QA Testers
byJavan Rasokat
 
PDF
Scaling MQTT - Webinar with Elastic Beam
byDominik Obermaier
 
PDF
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
bymarkmcclain
 
KEY
Apache httpd 2.4 Reverse Proxy
byJim Jagielski
 
PPTX
SSL Checklist for Pentesters (BSides MCR 2014)
byJerome Smith
 
PPTX
Introduction to MQTT
byEMQ
 
PDF
javanetworking
byArjun Shanka
 
PDF
Securing MQTT - BuildingIoT 2016 slides
byDominik Obermaier
 
PPTX
EMQ Company Deck
byEMQ
 
PDF
Nested Virtual Machines and Proxies
byKuniyasu Suzaki
 
PPTX
Neutron VEB Plugin
byBIM
 
PDF
Defeating The Network Security Infrastructure V1.0
byPhilippe Bogaerts
 
PPTX
Advanced Netscaler Customizations-BriForum 2011
byshoesing
 
PPTX
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
byDavid McGeough
 
Advanced Tools and Techniques for Troubleshooting NetScaler Appliances
byDavid McGeough
 
Docker and Fargate
byShinji Miyazato
 
Pub/Sub Messaging
byPeter Hanzlik
 
Introduction to EMQ X Enterprise
byEMQ
 
New Tools and Interfaces for Managing IBM MQ
byMatt Leming
 
Bridges and Tunnels a Drive Through OpenStack Networking
bymarkmcclain
 
OWASP ZAP Workshop for QA Testers
byJavan Rasokat
 
Scaling MQTT - Webinar with Elastic Beam
byDominik Obermaier
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
bymarkmcclain
 
Apache httpd 2.4 Reverse Proxy
byJim Jagielski
 
SSL Checklist for Pentesters (BSides MCR 2014)
byJerome Smith
 
Introduction to MQTT
byEMQ
 
javanetworking
byArjun Shanka
 
Securing MQTT - BuildingIoT 2016 slides
byDominik Obermaier
 
EMQ Company Deck
byEMQ
 
Nested Virtual Machines and Proxies
byKuniyasu Suzaki
 
Neutron VEB Plugin
byBIM
 
Defeating The Network Security Infrastructure V1.0
byPhilippe Bogaerts
 
Advanced Netscaler Customizations-BriForum 2011
byshoesing
 
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
byDavid McGeough
 

Viewers also liked

PDF
IST 561 Introduction
byD.A. Garofalo
 
PPTX
Summer 2010 Newsletter
byrsumrell
 
PDF
IST 561, Spring 2009--Session11, Libraries, the future, and the final
byD.A. Garofalo
 
PDF
IST 561 Spring 2009--Session6, Information Literacy and Web Site Evaluation
byD.A. Garofalo
 
PDF
IST561 Spring 2009--Session8, Java and JavaScript: the bare basics
byD.A. Garofalo
 
PDF
IST 561 Spring 2007--Session7, Sources of Information
byD.A. Garofalo
 
PDF
IST 561 Session10, Spring 2009--Student Projects and Presentations
byD.A. Garofalo
 
IST 561 Introduction
byD.A. Garofalo
 
Summer 2010 Newsletter
byrsumrell
 
IST 561, Spring 2009--Session11, Libraries, the future, and the final
byD.A. Garofalo
 
IST 561 Spring 2009--Session6, Information Literacy and Web Site Evaluation
byD.A. Garofalo
 
IST561 Spring 2009--Session8, Java and JavaScript: the bare basics
byD.A. Garofalo
 
IST 561 Spring 2007--Session7, Sources of Information
byD.A. Garofalo
 
IST 561 Session10, Spring 2009--Student Projects and Presentations
byD.A. Garofalo
 

Similar to Wcf Overview

PPTX
Lunch Learn - WCF Security
byPaul Senatillaka
 
PPTX
Windows Communication Foundation (WCF)
byBetclic Everest Group Tech Team
 
PPT
Basics of WCF and its Security
byMindfire Solutions
 
PPTX
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin
 
PPTX
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin2
 
PPTX
Windows communication foundation ii
bySwamy Gowtham
 
PPTX
WCF Fundamentals
bySafaa Farouk
 
PPTX
1. WCF Services - Exam 70-487
byBat Programmer
 
PPT
Windows Communicaiton Foundation
byAndriy Buday
 
PPT
WCFPresentation.ppt WCFPresentation.ppt WCFPresentation.ppt
byyatakonakiran2
 
PDF
WCF Interview Questions By Scholarhat PDF
byScholarhat
 
DOCX
Top wcf interview questions
bytongdang
 
DOC
WCF tutorial
byAbhi Arya
 
PPTX
WCF security
byOrbit One - We create coherence
 
PDF
Windows Communication Foundation (WCF)
byPeter R. Egli
 
PPT
Dot Net Training Wcf Dot Net35
bySubodh Pushpak
 
PPTX
WCF Security, FSec
byAnte Gulam
 
PPT
Session 1 Shanon Richards-Exposing Data Using WCF
byCode Mastery
 
PPTX
web programming
bysakthibalabalamuruga
 
PPTX
Wcf
byAnand Kumar Rajana
 
Lunch Learn - WCF Security
byPaul Senatillaka
 
Windows Communication Foundation (WCF)
byBetclic Everest Group Tech Team
 
Basics of WCF and its Security
byMindfire Solutions
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin2
 
Windows communication foundation ii
bySwamy Gowtham
 
WCF Fundamentals
bySafaa Farouk
 
1. WCF Services - Exam 70-487
byBat Programmer
 
Windows Communicaiton Foundation
byAndriy Buday
 
WCFPresentation.ppt WCFPresentation.ppt WCFPresentation.ppt
byyatakonakiran2
 
WCF Interview Questions By Scholarhat PDF
byScholarhat
 
Top wcf interview questions
bytongdang
 
WCF tutorial
byAbhi Arya
 
WCF security
byOrbit One - We create coherence
 
Windows Communication Foundation (WCF)
byPeter R. Egli
 
Dot Net Training Wcf Dot Net35
bySubodh Pushpak
 
WCF Security, FSec
byAnte Gulam
 
Session 1 Shanon Richards-Exposing Data Using WCF
byCode Mastery
 
web programming
bysakthibalabalamuruga
 
Wcf
byAnand Kumar Rajana
 

Recently uploaded

PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
final.pdf
byomarbishtawi04
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 

Wcf Overview

  • 1.
    WCF Basics andSecurity overview Yaron Hakon Application Security Consultant 2Bsecure yaron@2bsecure.co.il WCFWCF Agenda.Agenda. •• WCF Overview.WCF Overview. • WCF Security model. • Attacks and countermeasures. (If Time Permits)
  • 2.
    WCF is.WCF is. •WCF services expose endpoints that clients and services use to exchange messages. Call CenterCall Center Asp.netAsp.net AppApp MOBILE EMPLOYEESMOBILE EMPLOYEES -- JAVAJAVA CUSTOMERSCUSTOMERS -- ApplicationApplication VARIOUS PLATFORMSVARIOUS PLATFORMS The Imperative to ConnectThe Imperative to Connect J2EE APP SERVER J2E APP OTHERS .NET framework ExistingExisting J2EE ApplicationJ2EE ApplicationMOBILEMOBILE EMPLOYEE APPEMPLOYEE APP .NET framework IDM HTTPHTTP HTTPSHTTPSTCPTCPIPIP WSE .. .. .. ..WSE .. .. .. .. Enterprise Services
  • 3.
    Windows Communication FoundationWindowsCommunication Foundation INTEROPERABILITY PRODUCTIVITY SERVICE-ORIENTED DEVELOPMENT • Unifies today’s distributed technologies • Visual Studio 2005 integration • loosely-coupled services • Config-based communication
  • 4.
    WSWS--* Protocol Support*Protocol Support XMLXML MessagingMessaging SecuritySecurity TransactionsTransactionsReliableReliable MessagingMessaging MetadataMetadata WCFWCF –– A B CA B C •• A ServiceA Service EndpointEndpoint has anhas an AddressAddress, a, a BindingBinding, and a, and a ContractContract (ABC).(ABC). •• AnAn AddressAddress is a network address indicatesis a network address indicates wherewhere the service isthe service is located.located. •• AA BindingBinding specifiesspecifies howhow a client can communicate with thea client can communicate with the endpoint including transport protocol, encoding, and securityendpoint including transport protocol, encoding, and security requirements.requirements. •• AA ContractContract identifiesidentifies whatwhat operations are available to the clients.operations are available to the clients. ClientClient ServiceService AABBCC AddressAddress Where?Where? ContractContract What?What? BindingBinding How?How? CCBBAA CCBBAA CCBBAA
  • 5.
    WCF Run Time WCFWCF–– Architecture & channel stackArchitecture & channel stack Configuration: Bindings: Protocol Encoding Transport Security Dispatcher Send incoming requestChannel Stack Service Interface Method A Method B WCF Service code .Net Assembly contract Data, Message, Service contracts …. Client Code Channel Stack Proxy Class A B Protocol Reliability Security Protocol Reliability Security C B A( address) Understanding Bindings optionUnderstanding Bindings option • Protocols: • Security, Reliable messaging capability, Transaction . • Encoding: • Xml Text, MTOM, Binary. • Transport: • TCP, HTTP/S, Name Pipes , Custom.
  • 6.
    Binding Transport Encodingsecurity transaction Interopera- BasicHttpBinding Https text None, Transport, Message, Mixed no WS-I WSHttpBinding Https textMTO M None, Transport, Message, Mixed yes WS-* WSDualHttpBinding Http textMTO M None, Message yes WS-* WSFederationBinding None, Message, Mixed yes WSF NetTcpBinding TCP Binary None, Transport, Message, Mixed no .NET NetPeerTcpBinding P2P Binary None, Message, Transport, Mixed yes Peer NetNamedPipeBinding IPC Binary None, Transport yes .NET NetMsmqBinding MSMQ Binary None, Message, Transport Both yes .NET MsmqIntegrationBinding MSMQ Binary None, Transport yes MSMQ Understanding Standard BindingsUnderstanding Standard Bindings System.ServiceModel namespace includes the fallowing predefined Bindings: 1.Building1.Building WindowsWindows CommunicationCommunication FoundationFoundation ServiceService
  • 7.
    WCFWCF -- HostingHosting •User Application - Custom host app. • IIS host (WS). • Window service app. • + IIS version 7.0, - Windows Activation Services - WAS. • Configuration Sharing. • Application pool – Sandboxing • Support for non-HTTP transport protocols • Read more :http://msdn2.microsoft.com/en- us/library/ms733109.aspx Self Host.Self Host. • configure the endpoints… • Add endpoint information for the Web service in App.config . • Address (httphttps…. ) • Binding • Contract • create listener objects for each address. • listening for requests : productsServiceHost.Open(); Close()
  • 8.
    IIS HostIIS Host •Project assemblies are built in the bin folder. • Add a service definition file – svc (name of the class that IIS will execute and the name of the assembly holding this class ). • Add endpoint information for the Web service in Web.config . • Address (iis and SVC address ) • Binding • Contract • Deploy the service in iis • Add new site for the service. 2.Building2.Building Self Host For WCFSelf Host For WCF ServiceService
  • 9.
    3.Hosting WCF Service3.HostingWCF Service in IISin IIS Consuming WCF ServiceConsuming WCF Service • Select preferred client. • Service Reference. • Configuration - ABC • Consume.
  • 10.
    4.Consuming WCF service4.ConsumingWCF service from console applicationfrom console application Good to knowGood to know • Multiple Service Endpoint. • Expose Service in different endPoint for different Clients. • Configuring Service Instance Context Modes: • [ServiceBehavior(InstanceContextMode = InstanceContextMode.PerSession)] • PerSession :open new session for etch client, close the session when client abort. • Default (max-10 connection) , Cant share data between service instance. • PerCall- create new instance etch time the client invokes an operation and the service close after the call finish. • Hard to implement state. • Single – open one instant of the service for all. • Open in the first time service call come. Close by the server. • Sharing Data between +- ? . • Using MSMQ and Transaction.
  • 11.
    5.Consuming WCF servicein5.Consuming WCF service in self host With 2 endpoint fromself host With 2 endpoint from different clients.different clients. console application &console application & ASP.netASP.net Agenda.Agenda. • WCF Overview. •• WCF Security model.WCF Security model. • Attacks and countermeasures. (If Time Permits)
  • 12.
    security in everyWCF operation callsecurity in every WCF operation call • Service contract • Operation contract- Fault contract • sc behavior- Client credentials, Service credentials.Client credentials, Service credentials. • Operation behavior • Host configuration • Method configuration and code • Proxy configuration • Binding configuration- [ServiceContract (ProtectionLevel = ProtectionLevel.Sign)] public interface IMyContract { [OperationContract] void SignMethod(…); } [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] void EncryptAndSignMethod(…); } [ServiceContract (ProtectionLevel = ProtectionLevel.Sign)] public interface IMyContract { [OperationContract] void SignMethod(…); } [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] void EncryptAndSignMethod(…); } Transfer security ConceptsTransfer security Concepts • Message integrity. • Tampering. • Message privacy. • Sensitive data. • Confidentiality. • mutual authentication. • Client server Authentication. • Replay attacks. • Denial of service attacks.
  • 13.
    Transfer security modesTransfersecurity modes • None. • No client credentials are provided to the service. • Clear Text Messages over non secure Transport layer. • Transport security - integrity, privacy, and mutual authentication. • Secure transport protocols - https, tcp, ipc ,msmq. point-to-point, • all communication on the channel encrypted. • client's credentials are encrypted along with the rest of the message, • Message security- integrity, privacy, and mutual authentication. • encrypts the message itself. • end-to-end security. • communicate securely over nonsecure transports. • Mixed. • Transport security for message integrity , privacy & service authentication. • Message security for securing the client credentials. • point-to-point security. • Both - integrity, privacy, and mutual authentication. • both Transport security and Message security Explain the Mode scenarioExplain the Mode scenario -- TransportTransport • Encrypts the entire message • Sender must trust all intermediaries • Restricts protocols that can be used SSL SecuritySSL Security SSL SecuritySSL Security
  • 14.
    Explain the Modescenario MessageExplain the Mode scenario Message Security ContextSecurity Context •End to end message security independent of transport •Supports multiple protocols and multiple encryption technologies •Encrypt only parts of the message Transfer Security Mode • Bindings. Programmatically or Administratively. Binding None Transport Message Mixed Both BasicHttpBinding Y (default) Y Y Y N NetTcpBinding Y Y (default) Y Y N NetPeerTcpBinding Y Y (default) Y Y N NetNamedPipeBinding Y Y (default) N N N NetMsmqBinding Y Y (default) Y N Y WSHttpBinding Y Y Y (default) yes N WSFederationBinding Y N Y (default) yes N WSDualHttpBinding Y N Y (default) N N
  • 15.
    Programmatically securing thebasic binding BasicHttpBinding binding2 = new BasicHttpBinding( ); binding2.Security.Mode = BasicHttpSecurityMode.Message; Administratively securing the basic binding <bindings> <basicHttpBinding> <binding name = "SecuredBasic"> <security mode = "Message"> </security> </binding> </basicHttpBinding> </bindings>
  • 16.
    ••6. Use oftransfer security6. Use of transfer security –– basicHttpBindingbasicHttpBinding -->>>> WSHttpBinding. WCF Trace view with Microsoft serviceWCF Trace view with Microsoft service Trace Viewer.Trace Viewer. Before and afterBefore and after Transport Security and CredentialsTransport Security and Credentials • WCF lets you select from a number of possible client credentials types. • NTLM or Kerberos • classic username and password. • Windows security token. • X509 certificate, • Anonymous.
  • 17.
    Transport security clientcredentialsTransport security client credentials • WCF lets you select from a number of possible client credentials types. Binding None Windows UserName Certificate BasicHttpBinding Y (default) Y Y Y NetTcpBinding Y Y (default) N Y NetPeerTcpBinding N N Y (default) Y NetNamedPipeBinding N Y (default) N N NetMsmqBinding Y Y (default) Y N WSHttpBinding Y Y (default) Y Y WSFederationBinding N/A N/A N/A N/A WSDualHttpBinding N/A N/A N/A N/A Message Security and CredentialsMessage Security and Credentials • The same type of credentials as with Transport security. • + Issued token credential type. • http://msdn2.microsoft.com/en-us/library/ms731161.aspx
  • 18.
    Message Security andCredentialsMessage Security and Credentials Binding None Windows UserName Certificate Token BasicHttpBinding N N N Y N NetTcpBinding Y Y (default) Y Y Y NetPeerTcpBinding N/A N/A N/A N/A N/A NetNamedPipeBinding N/A N/A N/A N/A N/A NetMsmqBinding Y Y (default) Y Y Y WSHttpBinding Y Y (default) Y Y Y WSFederationBinding N/A N/A N/A N/A N/A WSDualHttpBinding Y Y (default) Y Y Y AuthenticationAuthentication AuthorizationAuthorization • Authentication: • ASP.NET Membership Provider • Custom Username and Password Validator • Identity and Authentication • Authorization • Restrict Access With the PrincipalPermissionAttribute • ASP.NET Role Provider with a Service • ASP.NET Authorization Manager Role Provider with a Service • Claims and Authorization with the Identity Model • Delegation and Impersonation
  • 19.
    ••7.Implement Message security7.ImplementMessage security –– netTcpBinding. 8.Using X509 certificate unable https communication to service.- server authentication ••9.Implement Authorization9.Implement Authorization –– usingusing PrincipalPermission.
  • 20.
    WCF Relevant AttacksWCFRelevant Attacks • Information Disclosure • Http Headers. Metadata , logs/exception . Authentication / Authorization • Elevation of Privilege • Check Authorization, Token Caches. • Denial of Service • Memory Consumption, max Secure Session. • Tampering • WS Addressing. • Replay Attacks • WS Addressing , transport security. ??
  • 21.
    SummarySummary •• WCF Overview.WCFOverview. •• Unified existing technology .Unified existing technology . •• Standards wide support.Standards wide support. •• WCF Security model.WCF Security model. •• Security by default.Security by default. •• Can be done using configurationCan be done using configurationcode.code. •• CredentialsCredentials –– X509, SAML, Kerberos, Card Spaces, custom.X509, SAML, Kerberos, Card Spaces, custom. •• WCF countermeasures for common attack vectors.WCF countermeasures for common attack vectors. •• MissMiss -- configuration can lead to vulnerability exposureconfiguration can lead to vulnerability exposure .. •• Read more bout WCF Attacks from the references.Read more bout WCF Attacks from the references. ReferencesReferences • Books • Microsoft Windows Communication Foundation Step by StepbyJohn Sharp. • MSDN: • WCF Home - http://msdn2.microsoft.com/en- us/library/ms735119.aspx • Security programming - http://msdn2.microsoft.com/en- us/library/ms731925.aspx • Card space - http://cardspace.netfx3.com/ • Blogs • Message inspector - http://msmvps.com/blogs/paulomorgado/archive/2007/04/27 /wcf-building-an-http-user-agent-message-inspector.aspx • WCF Security - http://blogs.msdn.com/alikl/archive/2007/07/26/wcf-security- in-intranet-scenario-thoughts-on-cons-and-pros.as • User group. • UG Page: http://www.microsoft.com/israel/communities/usergroups/se curedev.mspx • UG Presentation Page: http://www.2bsecure.co.il/NetSecGroup.aspx
  • 22.
    Thank you !Thankyou ! Yaron Hakon Application Security Consultant 2Bsecure yaron@2bsecure.co.il