开发者

is my webservice secured using jQuery? experts help needed

问答 作者:

I'm a beginner using webservices with jquery, so pard开发者_运维问答on for asking dumm questions.

so the story goes like this. I have a new website that i build using jQuery, that call webservices as part of some ajax calls, for examples:

$.ajax({
                     type: "POST",
                     url: "/WSProxy.asmx/AddressLookup",
                     data: "{'query': '" + $('#location').val() + "'}",
                     contentType: "application/json; charset=utf-8",
                     dataType: "json",
                     success: function (data) {
                         $("#location").autocomplete(
                             {
                                 minLength:3,
                                 source: data.d
                             });
                     }

                 });

now, if i get it right, everyone now knows that i have a webservice that can be accessed through: http://www.mywebsite.com/WSProxy.asmx, and basically query against the functions that are being exposed and call them as he likes. my questions:

  1. is that true? i my ajax/query code expose my webservices?
  2. can i block/limit calls that are not being taken from my site, and if yes, how?

My site is using .NET / C# as the backend/middle-tier platform, and the webservice is also written in C#.

Please help.

  1. is that true? i my ajax/query code expose my webservices?

Yes any Javascript and HTML is always exposed.

  1. can i block/limit calls that are not being taken from my site, and if yes, how?

Yes and No. You can refer to the incoming HTTP request url but that can be faked.

So the rule is to not to try to expose any sensitive parts.

you have to secure the service itself.

  • put all security there by addition of sessions for authenticated caller inside a service responsible for security.

  • for each call to your service exposed by javascript, you have to check through autentication service that is there any session for this person or not, if not block it....

Yes anybody can call your webservice (it's easy to learn, just look at firebug/developer tools to see what the browser does).

You can have the user log in before he can call the webservice. Or give him a token (like a CSRF token). Or design some signature mechanism (but then you have to know which arguments he's going to use).

Anybody looking at your AJAX calls will see what address and format your webservice uses, so yes, providing it will expose it (there is not much point to a service which is not exposed). You can make it harder to use it without visiting your site (e.g. you can put a token in the HTML code and require it to be present in the web service calls), but cannot fully prevent someone from writing code which will download a page from your site and then use your service while pretending to be a browser looking at that page.

Basically everything you throw to Javascript and HTML is exposed. You can though secure it a bit anyway. You can check the refferer of the request to be sure it comes from you site, but the refferer can be faked if a webserver is used. Another thing we did on a similar project was to get the url of the webservice in a AJAX call so that it does not appear in the source code. As dumb as it is, it may stop some low level data harvesters.

If it is not a public resource, you can add some logging in.

继续阅读:jquerysecurityweb-services

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9