Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What is the best practice for sending potentially sensitive data to a web service via XML in C#?
If I knew the data I would be working with was completely trivial, I’d be inclined to use XmlSerialization, but the fact that serialization requires disk access to work properly concerns me – it seems like there is a possibility of sensitive data being stored on disk in temp files.
So if not XmlSerialization, then what is the best way to go?
When using the XmlSerializer, the temporary files that are created only contain type information – i.e. temporary assemblies representing the type of the data transfer objects. They do not contain the actual data of the instantiated objects itself. The type information may be sensitive, but probably is not.
The threats mentioned in the links in your comments above are about the possibility of injection of malicious code by an attacker overwriting these generated assemblies – not the disclosure of data.
In fact, WCF will use the DataContractSerializer by default, rather than the XmlSerializer. This link
http://msdn.microsoft.com/en-us/library/ms733135.aspx
Explains how to prevent the DataContractSerializer from loading malicious types by creating a known types list (of strongly named types) in your config file or in code. Then the problem is limited to keeping your config file secure…
Can I stop now ;o)