不带MEX端点的带有BasicHttpBinding的WCF服务可以被绝对陌生人吗?
问题说明
据我了解:如果您没有MEX端点/WSDL,则您的服务基本上是不可发现的.只有了解您的数据合同的人才能使用您的服务.
From what I understand: If you don't have a MEX endpoint / WSDL, your service is basically non-discoverable. Only people who have knowledge of your data contract should be able to consume your service.
这个断言是否成立,还是互联网的恶意居民有办法弄清楚如何调用/使用没有MEX端点的服务?
Does this assertion hold water, or are there ways for malicious denizens of the internet to figure out how to invoke/consume services that have no MEX endpoint?
正如安德鲁指出的那样,不应认为此策略是真正安全的.我想知道的是,在与外部消费者进行质量检查阶段,是否可以安全地免受随机滥用的侵害.
As Andrew pointed out, this strategy should not be considered to be truly secure. I'm wondering more along the lines of if it is safe from random abuse during a QA phase with external consumers.
正确答案
取决于您对安全性的定义.这是一种默默无闻的安全保护方式,对您的个人进行列表服务可能不错,但对于金融应用程序则不可接受.
Depends on your definition of secure. It's a case of security by obscurity, which might be fine for your personal to do list service, but unacceptable for a financial app.
SOAP等不是/that/复杂的,因此黑客并非不可能猜测一些输入,尽管取决于服务,这是非常不可能的(甚至在数学上是不可行的).但是,如果您分发了可以进行反向工程的客户端,或者如果有人设法嗅探到您对服务的合法使用,那么他们几乎可以肯定会利用它吗?
SOAP etc is not /that/ complicated, so it's not impossible that a hacker could guess some inputs, although depending on the service, it could be very unlikely (even mathematically unfeasible). However if you distribute a client that could be reverse engineered, or if someone manages to packet sniff legitimate use of your service, then they could almost certainly exploit it?
这篇好文章是转载于:学新通技术网
