不带MEX端点的带有BasicHttpBinding的WCF服务可以被绝对陌生人利用吗? [英] Can a WCF service w/ BasicHttpBinding without a MEX Endpoint be exploited by absolute strangers?

问题描述

据我了解:如果您没有MEX端点/WSDL，则您的服务基本上是不可发现的.只有了解您的数据合同的人才能使用您的服务.

From what I understand: If you don't have a MEX endpoint / WSDL, your service is basically non-discoverable. Only people who have knowledge of your data contract should be able to consume your service.

这个断言是否成立，还是互联网的恶意居民有办法弄清楚如何调用/使用没有MEX端点的服务?

Does this assertion hold water, or are there ways for malicious denizens of the internet to figure out how to invoke/consume services that have no MEX endpoint?

正如安德鲁指出的那样，不应认为此策略是真正安全的.我想知道的是，在与外部消费者进行质量检查阶段，是否可以安全地免受随机滥用的侵害.

As Andrew pointed out, this strategy should not be considered to be truly secure. I'm wondering more along the lines of if it is safe from random abuse during a QA phase with external consumers.

推荐答案

取决于您对安全性的定义.这是一种默默无闻的安全保护方式，对您的个人进行列表服务可能不错，但对于金融应用程序则不可接受.

Depends on your definition of secure. It's a case of security by obscurity, which might be fine for your personal to do list service, but unacceptable for a financial app.

SOAP等不是/that/复杂的，因此黑客并非不可能猜测一些输入，尽管取决于服务，这是非常不可能的(甚至在数学上是不可行的).但是，如果您分发了可以进行反向工程的客户端，或者如果有人设法嗅探到您对服务的合法使用，那么他们几乎可以肯定会利用它吗?

SOAP etc is not /that/ complicated, so it's not impossible that a hacker could guess some inputs, although depending on the service, it could be very unlikely (even mathematically unfeasible). However if you distribute a client that could be reverse engineered, or if someone manages to packet sniff legitimate use of your service, then they could almost certainly exploit it?

这篇关于不带MEX端点的带有BasicHttpBinding的WCF服务可以被绝对陌生人利用吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！