AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

WCF Unsafe Documentation Protocol

Detailed documentation information of an application endpoints may allow attackers to deduce internal details of an application that will leverage further attacks

Severity

Medium

Fix Cost

Low

Trust Level

High

ASP.NET Web services facilitate the development of Web services clients by automatically generating documentation that describes how to communicate with the Web service. Web services that have the documentation protocol enabled generate an HTML-formatted page when a browser request is received. This HTML-formatted page describes the following information:

  • The operations that are supported
  • The parameters that each operation accepts
  • The type of data that should be passed in those parameters

The documentation protocol also generates an XML-formatted Web

Services Description Language (WSDL) file. This file is designed to allow applications to understand how to structure requests to the Web service.

This information can be very useful to developers, especially developers who create clients for public Web services. However, revealing detailed information about the functionality of private Web services increases the risk that the Web service will be misused by a malicious attacker. The Documentation protocol always describes all functions and parameters of a Web service — even if only a subset of those functions are intended to be publicly accessible.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!