locked
Sending sensitive data using web service over https RRS feed

  • Question

  • User2084211446 posted

    I've a web service which is deliverying senstive data to the clients.  I'm using it over https and it requires the users to send their userid and password (plain text) as parameters to get data.  Assuming that the both end points (sender's and receiver's)  are secured, is it safe enough? If not, what else I should do to secure the process? I'm doing this for the first time. Any thoughts and suggestions are most welcome and much appreciated. I am using c#  ASP.NET 4.0

    Thanks

    Rose :)

    Wednesday, April 2, 2014 11:26 AM

Answers

  • User422038134 posted

    You can use SSL and Basic authentication with REST web services as well.

    HTTP GET is usually used for data retrieval (queries) but you can use HTTP POST as well. GET is especially useful if you can use any type of HTTP caching. POST is usefull if you need to transfer a lot of data to define your query or if your web service operation expects some complex data format instead of simple arguments

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 2, 2014 11:36 AM
  • User1779161005 posted

    I am using ASP.NET membership's form authentication. So when my web serivce receives userid and password, it is  validated using ASP.NET membership.

    Thanks for your help and comments.

    Rose

    Ok, so keep in mind that brute force attacks on the password are a real possibility.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 2, 2014 12:22 PM

All replies

  • User422038134 posted

    You can use SSL and Basic authentication with REST web services as well.

    HTTP GET is usually used for data retrieval (queries) but you can use HTTP POST as well. GET is especially useful if you can use any type of HTTP caching. POST is usefull if you need to transfer a lot of data to define your query or if your web service operation expects some complex data format instead of simple arguments

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 2, 2014 11:36 AM
  • User1779161005 posted

    How are the credentials stored? You need to prevent brute force attacks on the password.

    Wednesday, April 2, 2014 11:40 AM
  • User2084211446 posted

    I am using ASP.NET membership's form authentication. So when my web serivce receives userid and password, it is  validated using ASP.NET membership.

    Thanks for your help and comments.

    Rose

    Wednesday, April 2, 2014 12:10 PM
  • User1779161005 posted

    I am using ASP.NET membership's form authentication. So when my web serivce receives userid and password, it is  validated using ASP.NET membership.

    Thanks for your help and comments.

    Rose

    Ok, so keep in mind that brute force attacks on the password are a real possibility.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 2, 2014 12:22 PM
  • User-1949460947 posted

    Hello Rose,

    From which threat you want to protect your application?

    If you want to ensure, that no one can read your sensitive data while it is transmitted, then SSL is a good solution.

    If you want to ensure, that no one can access your web service anonymously, then you need authentication. A custom authentication is good, anything that is standard, such as Basic is even better.

    If you want to ensure, that no one can perform a Denial of Service attack by sending brute force requests, then you must prepare your authentication for that.

    Hope this helps,

    György

    Thursday, April 3, 2014 10:14 PM