You often hear about security and web services. How they need to be more secure and how they can pass unsecured information. Well, I recently had an issue with a client that felt they were exposing too much information with the web service provided. This web service allows for products to be returned based on some search criteria. Unfortunately the web service was located in the root of the main web site so the asmx file was available by going to (http://www.someurl.com/somefile.asmx). The client felt that the web service gave too much info out.
We had a few methods to resolve this issue. One was to move the web service to another virtual folder and only allow the specific ip address to access that location. This did not seem to be the logical choice for us because we had multiple applications obtaining information from this location. We would have to find and adjust all the linking applications. So we started to look at the asmx file.
After some googling we really did not find too much info on how to secure the asmx file. Because in it’s true sense it is meant to explain / expose the methods of the web service. In one of the searches we were able to find some information on how the asmx file was built and displayed on the server. Specifically how the can be changed to show the order of the methods.
Using this information we set out to modify the asmx file to not show information about the web service methods. To do this we needed to modify the DefaultWsdlHelperGenerator.aspx file. This file is located in %SYSTEMROOT%\microsoft.net\framework\v1.1.4322\Config
In this file it allows for description and display of all exposed methods on page load. By modifying the SHOWingMethodList function and replacing the list of methods with some text or links back to the site we effectively removed any information the asmx file displayed. The ShowingMethodList had a repeater listing, we removed the repeater and added some text and a url.
We also removed the header information that had the standard documentation and put some text in it’s place.
In the end we had a functional asmx web service page that only displayed the text we wanted. It was not the ideal way of securing a web service, but in our situation it was useful.