This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

.NET Web Service Validation

From OWASP
Jump to: navigation, search

There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for schematron via Assert attributes. This allows for a very powerful input validation of web services.

This is a project to provide continued support for this extension. There have been some updates to the original code, including moving to the .NET Framework v2.0.

The original article is available here.

Performance Penalties

To add in XML schema validation we must parse the soap packet ourselves. This of course will incur an additional performance hit outside of simply turning on validation. Unfortunately there is no method (that I'm aware of) to enable schema validation in .NET currently.

Downloading

SoapValidation-0.5.msi - Assembly, documentation, samples

SoapValidation-0.5-src.zip - Source, documentation, samples

The latest code is now being maintained in a Google Code repository.

Installation

Download the installer and run. Easy :)

Reporting Bugs

Report bugs to Michael Eddington @ [email protected].

Use

Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later.

Methods of Use

There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute.

Attributes

[Validation]

Mark web method for validation against schemas

[ValidationSchemaFolder(string relativeFolder)]

Used to add folders that contain schemas to load and cache.  This attribute is only valid for classes.  The relativeFolder parameter is relative to the vroot.

  • relativeFolder -- Folder of schemas to load and cache.  Relative to the virtual root (vroot).

[ValidationSchema(string schemaFile)]

Used to add schema files to load and cache.  This attribute is only valid for classes.  The schemaFile parameter is relative to the vroot.

  • schemaFile -- Schema file to load.  Relative to the virtual root (vroot).

[Assert(string rule)]
[Assert(string rule, string description)]

Used to add an XPath validation expression to a web method.  The XPath expression must evaluate to true.

  • rule -- XPath validation expression.  Must evaluate to true.
  • description -- [optional] Description of assertion rule.

[AssertNamespaceBinding(string prefix, string ns)]

Specifies namespace bindings used by assert xpath's.

  • prefix -- namespace prefix
  • ns -- namespace to map to

Web.config Changes

First two extensions must be registered by adding the following inside of the <webServices> node:

<soapExtensionReflectorTypes>
  <add type="SoapValidation.ValidationExtensionReflector, SoapValidation"/>
</soapExtensionReflectorTypes>
<serviceDescriptionFormatExtensionTypes>
  <add type="SoapValidation.ValidationFormatExtension, SoapValidation"/>
</serviceDescriptionFormatExtensionTypes> 

Next, POST and GET protocols must be disabled by adding the following inside of the <webServices> node:

<protocols>

  <remove name="HttpPost" />
  <remove name="HttpGet" />
</protocols>

Finally, if you want to force all web methods to be validated with out using the [Validation] attribute add the following inside of the <webServices> node:

<soapExtensionTypes>
  <add type="SoapValidation.ValidationExtension, SoapValidation" priority="1" group="0" />

</soapExtensionTypes>

Using Validation

Here is a basic example that will cause validation to be run:

[WebService(Namespace="<a href="http://example.org/geometry")]public">http://example.org/geometry")]
public</a> class SimpleTests : System.Web.Services.WebService
{ 
  [WebMethod]
  [Validation]
  public double CalcArea2(double length, double width)
  {
    return length * width;
  }
}

Using Assertions

Here is an example of using assertions to verify business rules in a way schema's fall short.

[AssertNamespaceBinding("t", "<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
[WebService(Namespace="<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
public class SimpleTests : System.Web.Services.WebService
{ 
  [WebMethod]
  [Validation]
  [Assert("(//t:length * //t:width) > 100", "Area must be greater than 100")]
  [Assert("(//t:length div //t:width) = 2", "Length must be exactly twice width")]
  public double CalcArea2(double length, double width)
  {
    return length * width;
  }
}

 

Project Contributors

Michael Eddington

Project Sponsor

Leviathan Security Group, Inc.