This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

.NET Web Service Validation

From OWASP
Revision as of 03:14, 20 November 2006 by Meddington (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

.NET Web Service Validation

There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for schematron via Assert attributes. This allows for a very powerful input validation of web services.

This is a project to provide continued support for this extension. There have been some updates to the original code, including moving to the .NET Framework v2.0.

The original article is available here.

Performance Penalties

To add in XML schema validation we must parse the soap packet ourselves. This of course will incur an additional performance hit outside of simply turning on validation. Unfortunately there is no method (that I'm aware of) to enable schema validation in .NET currently.

Downloading

SoapValidation-0.5.msi - Assembly, documentation, samples SoapValidation-0.5-src.zip - Source, documentation, samples

Installation

Download the installer and run. Easy :)

Methods of Use

There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute.

Use

Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later.

Reporting Bugs

Report bugs to Michael Eddington @ [email protected].