Geeks With Blogs
Jim Becher blog

You often hear about security and web services.  How they need to be more secure and how they can pass unsecured information.  Well, I recently had an issue with a client that felt they were exposing too much information with the web service provided.  This web service allows for products to be returned based on some search criteria.  Unfortunately the web service was located in the root of the main web site so the asmx file was available by going to (http://www.someurl.com/somefile.asmx).  The client felt that the web service gave too much info out. 

We had a few methods to resolve this issue.  One was to move the web service to another virtual folder and only allow the specific ip address to access that location.  This did not seem to be the logical choice for us because we had multiple applications obtaining information from this location. We would have to find and adjust all the linking applications.  So we started to look at the asmx file. 

After some googling we really did not find too much info on how to secure the asmx file.  Because in it's true sense it is meant to explain / expose the methods of the web service.   In one of the searches we were able to find some information on how the asmx file was built and displayed on the server.   Specifically how the can be changed to show the order of the methods.  

Using this information we set out to modify the asmx file to not show information about the web service methods.  To do this we needed to modify the DefaultWsdlHelperGenerator.aspx file.  This file is located in %SYSTEMROOT%\microsoft.net\framework\v1.1.4322\Config

In this file it allows for description and display of all exposed methods on page load.  By modifying the SHOWingMethodList function and replacing the list of methods with some text or links back to the site we effectively removed any information the asmx file displayed. The ShowingMethodList had a repeater listing, we removed the repeater and added some text and a url.

We also removed the header information that had the standard documentation and put some text in it's place.

In the end we had a functional asmx web service page that only displayed the text we wanted.  It was not the ideal way of securing a web service, but in our situation it was useful. 

Posted on Tuesday, August 16, 2005 5:43 AM | Back to top


Comments on this post: Security of the ASMX file

# re: Security of the ASMX file
Requesting Gravatar...
I've got a bit of a problem I hope you can help me with.

On my private computer, in my Temporary Internet Files, I have an ASMX file that will not be deleted. It shows up in Windows Explorer (on XP home edition), but dos will not pick it up, so obviously its attributes are changed. Properties on the file give no ability to alter the attributes of the file. So I tried to use ATTRIB using -r -h but it reported it cannot find the file. I tried to get Nortons Anti Virus Professional Edition to wipe it, but it too failed.

Could you suggest some way I can get rid of this file? I suspect it to be the cause of some problems I've been having.

The file is called schematizedstore.asmx, within my documents & settings/venus/temporary internet files.

Nothign I seem to be able to do can get rid of this file.

My email is venus6001@iprimus.com.au, if you could reply with any help.

Thankyou..

Chris Kilgariff
Left by Venus6001 on Dec 21, 2005 1:20 AM

# re: Security of the ASMX file
Requesting Gravatar...
This is a very late response but, for those that may stumble across this in the future, there's a much simpler way to hide the ASMX file's descriptions than by modifying the DefaultWsdlHelperGenerator.aspx - and also that need not be made to each server the service is running on:

Add the following to the web.config file that applies to the ASMX file:

<webServices>
<!-- ... -->
<protocols>
<remove name="Documentation" />
</protocols>
</webServices>

And voila - no more method descriptions. Sure, calling up the ASMX page results in an error but if you don't want users to see the descriptions, that's probably preferable...


Deken
Left by Deken on Feb 01, 2006 1:13 PM

# re: Security of the ASMX file
Requesting Gravatar...
lately i have been having trouble with my personal computer. i have a asmx file that will not let me delete it in my temporay files.nothing i do will get rid of it the file says it is restricted can not beopened please help me
Left by catina on May 21, 2006 8:18 PM

# re: Security of the ASMX file
Requesting Gravatar...
I HAVE A FILE IN MY TEMPORAY FILES, ON MY PERSONAL COMPUTER THAT IS SCHEMATIZEDSTORE[1].ASMX IT WILLNOT LET ME DELETE AND IS GIVING ME A PAIN IN MY NECK PLEASE HELP[ ME GET RID OF THIS PROBLEM MY EMAIL IS catinaadamson@bellsouth.net
Left by catina on May 21, 2006 8:25 PM

# re: Security of the ASMX file
Requesting Gravatar...
i have a doubt.how I go to my .asmx file into SSL
Left by saranya on Dec 03, 2010 7:09 AM

Your comment:
 (will show your gravatar)


Copyright © Jim Becher - Untangle the Web | Powered by: GeeksWithBlogs.net