This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Attacking WCF Web Services

Jump to: navigation, search

The presentation

Owasp logo normal.jpg
Let's face it, hacking a web service generally isn't rocket science. But what if the web service requires your message to be sent in binary format instead of Text or XML? What if the web service requires message level encryption but you don't have a key? These are just a few common scenarios you are likely to encounter when trying to attack a web service built on Windows Communication Foundation (WCF). Through a series of live demonstrations, the presentation will show how to identify WCF web services on the wire, the communication protocols and message formatting options supported by WCF, and how to attack WCF web services using familiar black-box vectors. WCF is the new standard communications framework for .NET web services. WCF gives developers the ability to use new protocols and message formatting options like the NET.TCP protocol, WS-Security and Message Transmission Optimization Mechanism (MTOM). These messaging options render most common web service assessment utilities useless; however given an understanding of how they work they are still susceptible to most common attacks.

The speaker

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the information security industry for over 10 years, and specializes in software security. Brian is a frequent speaker at various security conferences and a regular contributor on the GDS Security blog.