There is a security concept regarding the calls to the WCF service that I can’t seem to understand.
I’ve built a sample Silverlight solution, and enabled WCF RIA.
I have an invoke operation ( or any of the auto-generated CRUD’s for that matter ), which I’ve annotated with [RequiresAuthentication()] :
[RequiresAuthentication()]
[Invoke]
public void DeleteResource(string id)
{
//...
}
Next, I changed web.config to enable forms authentication :
<system.web>
<httpModules>...</httpModules>
<compilation>...</compilation>
<authentication mode="Forms" />
</system.web>
Now only authenticated users can call this method. So in the client I need to authenticate:
FormsAuthentication auth = new FormsAuthentication();
auth.Login(textBoxUsername.Text, textBoxPassword.Text);
After a succesful login, calls can be made to the method.
When looking at Fiddler through this process I can see two things:
- Set-Cookie: .ASPXAUTH=F8FFB8B….. ( from the login step )
- http://localhost:1107/…/DomainService.svc/binary/DeleteResource ( when the method is called)
So a harmful user can do the following :
- Login to my app like a regular user (He registered and got credentials).
- Open up Fiddler while working with the app and copy the cookie and URL I just mentioned.
- Construct an HTTP call to that URL with the cookie (using a C# Webclient for example), and start deleting resources.
If this is possible , how can I block this security hole ?
And if not, what’s preventing the user from doing that ?
To be honest I do not see a security hole here:
From the security point of view there should be no difference between calling operation from a browser and using “manually” prepared request – authorization should be performed on the service level on EVERY call (you never should trust a client – i.e. WebBrowser from the very reason you have posted this question). If the user tries something he/she is not authorized to, authorization error should occur.