IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [wcf]

Windows Communication Foundation (WCF) is a framework for building service-oriented applications. It allows for sending messages between service endpoints. Service endpoints can be a part of a service, hosted in IIS or in an application, or it can be a client which requests data from such a service. WCF is a part of .Net Framework.

29 questions
12
votes
4 answers

A tale of two sources: Is TLS *defense* against Man-in-the-Middle, or not?

We have recently used a security scanning tool to assess security of an application. It raised a particular configuration as a Medium vulnerability. The claims made in the explanation of the discovered vulnerability don't seem to match with…
Dave Swersky
  • 223
  • 2
  • 8
8
votes
5 answers

Should one sign and encrypt using the same key? The Azure Training Labs are taking this approach

I'm taking the Azure lab LoadBalancing with WCF and recognise what I have been told is bad from a security perspective, but am not sure if it applies here. Can someone look at this code and tell me if different certificates should be used in…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
2 answers

What are the security risks of the Service Bus, and how do you mitigate them?

The Service Bus is software that can be installed on Windows or rented on Azure and allows someone to relay SOAP/WCF information over the internet in the form of a XML over HTTPS payload. One risk that I see is that it essentially allows a user…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
3 answers

What risks would exist in transmitting an encrypted PKCS12 via Https

I have a scenario in which I would like to automate the deployment of client certificates generated by an issuer I control. The approach I am considering is given below, and I would appreciate feedback as to risks involved (or if this is more…
cmsjr
  • 163
  • 5
6
votes
3 answers

Are there any tools to detect JavaScript-based WCF/AJAX calls?

I'd like to determine if a given JavaScript contains the logic to make a AJAX/WCF call, or determine if one is being executed at runtime. Does anything like this exist?
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
1 answer

WCF - Is this a good security Architecture?

I am building an information recording system (WCF based) for a business that is accessible by staff over the internet. This software will not be distributed and there will only be a handful of users with the client application installed. Due to…
Sam
  • 210
  • 2
  • 6
4
votes
4 answers

Ensuring a web-service only processes requests from specific computers

I'm in the process of designing a system that consists a client application and a single web-service. The client is distributed on several machines (installed by me or a colleague), and the communication between client and server is over the…
Tom Jelen
  • 143
  • 6
3
votes
1 answer

Securing WCF service with X.509 cert

Possible Duplicate: What is the difference between an x.509 “client certificate” and a normal SSL certificate? I'm getting really confused with WCF and certs. I have a WCF service which will run on a server w/ SSL enabled. Now, when i configure…
Sergei
  • 133
  • 1
  • 5
2
votes
3 answers

Identifying and preventing execution of "any" function via Late-Bound commands

The Command Pattern is widely used to create a robust, salable applications. However I see guidance in this MSDN article that could allow a caller to invoke a late-bound command... enabling the caller to call any assembly, class, and method…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2
votes
0 answers

How to use IIS ssl certificate(CNG) for data encryption

I want to use RSA to encrypt/decrypt some data using IIS's ssl ceritifcate, from within a web service(WCF). I've managed so far to do this by using .NET security classes(RSACryptoServiceProvider/X509Certificate2) - the client uses server's…
Adrian Ganea
  • 21
  • 1
2
votes
2 answers

Is WCF or Java Metro security configuration in-scope for your security department; should it be?

Windows Communication Foundation (WCF) is a set of technologies that expose server-side executable code and data over the Internet. Given the port sharing abilities of IIS, or even that a web developer can host a WCF application unbeknownst to the…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2
votes
2 answers

Securing JSON data

I am planning to use JSON as the data transport mechanism between my iOS app and my server (the server is a WCF service). While learning about JSON, I realized that all the data is passed around directly in the URL. I am sure this question gets…
bobbyalex
  • 131
  • 1
  • 5
2
votes
1 answer

Authentication for Mobile Devices

I am looking for ways to Authenticate on a mobile device. The mobile application is connecting to a WCF Service which in turn connects to a Database. Before the application retrieves any information from the WCF Service I will need it to…
Michael Grubey
  • 158
  • 6
2
votes
1 answer

Why does Wireshark not recognize WCF traffic as TLS encrypted?

In a .NET application, communication between client and service can be implemented using various different bindings, NetTcpBinding being one of them. The class defines an attribute named Security, which, according to this article, defaults to…
user163495
2
votes
0 answers

WCF WS - Passing passwords through service

I am implementing security on a WCF service from basicHttp to WShttp, the issue is the service sends some passwords for connections to the database that the user can define,test and save. The service implements a X509 certificate for the service…
mahlatse
  • 121
  • 2
1
2