- Message data may be malformed for malicious intentions such as injection attacks
- XML serialization helps validate some data types as XML data from the message is transformed into .Net data types – but this does not prevent against malicious content within a string being used for XML or SQL injection attacks etc.
- Client side validation cannot be trusted by a service
- Assume that all input data is malicious until proven otherwise, and use message validation to protect against input attacks, such as SQL injection, buffer overflows, and other types of attacks.
- See the Message Validation Design Pattern for a detailed analysis of detecting replayed web service messages:
- See the Implementing Message Replay Detection Design Pattern for information on how to implement this pattern using Microsoft WSE 3.0
- We also have a quickstart for this pattern available on our GotDotNet workspace - see http://practices.gotdotnet.com/projects/sopatterns