I have an ASP.NET website that heavily uses JSON services. The basic structure is: jQuery Plugins -> JSON Service -> Server-Side BAL.
But, this solution is obviously not secure, since a malicious user can run a tool such as Fiddler and capture JSON calls on their machine, then replay these JSON calls changing parameters, etc.
If I were to put the web services folder under SSL, what protections would it give me? I tried putting the entire site under SSL, but still running Fiddler I can see clear-text messages going to HTTPS protocol, and I can replay those messages from Fiddler with the same or changed parameters.
I obviously have little knowledge about SSL and need some help. Does it sound like my SSL is not setup correctly, or being able to see SSL traffic via Fiddler is expected? If the latter, what protection does SSL provide in my scenario?
Thank you.
SSL only encrypts the transport. Meaning a third party cannot eavesdrop on the data exchange between the client and your server. It does not add any security features to the server or service itself.
What you need is a proper authentication, permission and validation system. Every request needs to be checked for its validity. Be prepared to receive any sort of request with any sort of parameters, be that because the user fiddled with the parameters, because of a bug in your code or whatever. If a request is invalid, meaning if a particular user is not allowed to do a certain thing, reject the request.
This is not some addon technology you can implement, it's a core design consideration of your service.