?
Solved

Does my Silverlight/Web Service solution have a security vulnerability?

Posted on 2011-03-08
2
Medium Priority
?
573 Views
Last Modified: 2012-05-11
I'm building one of my first silverlight applications.  The silverlight will be hosted within Microsoft CRM 2011 Online.  It will need to access a web service that I am creating that is hosted on the clients server which is a different domain than the silverlight application.  

Users who access the silverlight application via CRM 2011 have already been authenticated by CRM and have permission to access the data in the web service.  The webservice doesn't need to know which user is making the request, just that it is an authenticated user of CRM.  

I am planning on setting up SSL on the server that hosts the web service and adding the domain of the crm system to the crossdomain.xml file.

Because this is my first silverlight application I'm concerned that I may accidentally be leaving a security vulnerability.  I would appreciate a response on whether.

1.  My solution is vulnerable to data being intercepted when it is communicated between Silverlight and the webservice.

2.  My solution is vulnerable to impersonation by a malicious user trying to query the web service.

3.  If there are any other security vulnerabilities I need to be aware of.

Thank you for your consideration.
0
Comment
Question by:sanw2020
  • 2
2 Comments
 
LVL 41

Accepted Solution

by:
Kyle Abrahams earned 2000 total points
ID: 35072175
for 1:  use HTTPS . . . optionally you can also encrypt the results of a service call before sending and decrypt them locally.

for 2: Not sure how you're sharing the token.  If you're using windows auth impersonation is always possible.

for 3:  In general assume the client is always compromised.  All validation should be server side.

General securing tips:
http://msdn.microsoft.com/en-us/magazine/ff646975.aspx
0
 
LVL 41

Expert Comment

by:Kyle Abrahams
ID: 35258482
Do you need further assistance?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Relic recently released its Synthetics product that allows for the creation of performance monitors that periodically test a site's performance. If you wish to test an interactive workflow New Relic employs Selenium WebDriverJS to run those test…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question