Home/ Questions/Q 1069911
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T20:29:21+00:00

In regards to my this question , I got this following answer to add

  • 0

In regards to my this question, I got this following answer to add this to the web config file. And it also resolved the issue i was facing. But now my question is that is there any kind of security threat? if yes, how severe it could be? what kind of threat it could be? Do you suggest something else here.

<configuration>
    <system.web>
    <webServices>
        <protocols>
            <add name="HttpGet"/>
            <add name="HttpPost"/>
        </protocols>
    </webServices>
    </system.web>
</configuration>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The reason that HttpGet and HttpPost are disabled by default are that hey can easily be used for XSS attacks. From http://msdn.microsoft.com/en-us/library/ff648667.aspx:

    By disabling unnecessary protocols, including HttpPost and HttpGet, you reduce the attack surface area. For example, it is possible for an external attacker to embed a malicious link in an e-mail to execute an internal Web service using the end user’s security context. Disabling the HttpGet protocol is an effective countermeasure. In many ways, this is similar to an XSS attack. A variation of this attack uses an tag on a publicly accessible Web page to embed a GET call to an intranet Web service. Both attacks can allow an outsider to invoke an internal Web service. Disabling protocols mitigates the risk.

    For more about XS attacks, see http://en.wikipedia.org/wiki/Cross-site_scripting .

    I usually avoid using HttpGet and HttpPost is possible. If it is a web service that in any way manage money, I avoid it at all costs. Use SOAP web services whenever possible.

    • 0