Silverlight and WCF RIA, securing service calls. Am I missing something?

1
votes

There is a security concept regarding the calls to the WCF service that I can't seem to understand.

I've built a sample Silverlight solution, and enabled WCF RIA.
I have an invoke operation ( or any of the auto-generated CRUD's for that matter ), which I've annotated with [RequiresAuthentication()] : 

[RequiresAuthentication()]
[Invoke]
public void DeleteResource(string id)
{
    //...
}

Next, I changed web.config to enable forms authentication :

<system.web>
  <httpModules>...</httpModules>
  <compilation>...</compilation>
  <authentication mode="Forms" />    
</system.web>

Now only authenticated users can call this method. So in the client I need to authenticate:

FormsAuthentication auth = new FormsAuthentication();
auth.Login(textBoxUsername.Text, textBoxPassword.Text);

After a succesful login, calls can be made to the method.

When looking at Fiddler through this process I can see two things:

  1. Set-Cookie: .ASPXAUTH=F8FFB8B..... ( from the login step )
  2. http://localhost:1107/.../DomainService.svc/binary/DeleteResource ( when the method is called)

So a harmful user can do the following :

  1. Login to my app like a regular user (He registered and got credentials).
  2. Open up Fiddler while working with the app and copy the cookie and URL I just mentioned.
  3. Construct an HTTP call to that URL with the cookie (using a C# Webclient for example), and start deleting resources.

If this is possible , how can I block this security hole ?
And if not, what's preventing the user from doing that ?

1
web-servicesauthenticationforms-authenticationwcf-ria-serviceswcf-security

1 Answers

0
votes

To be honest I do not see a security hole here:

  1. If a user was able to login, he is - as I assume - authorized to perform mentioned operation.
  2. Authentication != Authorization. You should not only check if an user is authenticated, but if he/she is authorized to perform any single operation (on a service side of course). From the security point of view there should be no difference between calling operation from a browser and using "manually" prepared request - authorization should be performed on the service level on EVERY call (you never should trust a client - i.e. WebBrowser from the very reason you have posted this question). If the user tries something he/she is not authorized to, authorization error should occur.
  3. Authentication cookie should have authentication expiration time set (e.g. for 30 minutes).