We have a WCF service that uses wsHttpBinding. The sample requests I generate include a timestamp which is validated by WCF for each request:
<u:Timestamp u:Id="_0">
<u:Created>2013-11-02T16:58:24.575Z</u:Created>
<u:Expires>2013-11-02T17:03:24.575Z</u:Expires>
</u:Timestamp>
We recently had the service pen-tested, and the tester noticed that it's possible to simply omit the timestamp element, and requests are accepted without it.
I'm reviewing the report, and I'd like to add an explanation for this. Unfortunately, I've had a good search and I can't find any resources which explain it, or even mention it.
So my questions are:
This is the service binding config:
<wsHttpBinding>
<binding name="usernameHttps" maxReceivedMessageSize="2147483647">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
This is the client binding config:
<wsHttpBinding>
<binding name="WSHttpBinding_IService" maxReceivedMessageSize="2147483647">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
I got an answer to this from the MS forums:
- Why is this optional?
Time stamp is option because it is reciver that has to take action on it , from MSDN http://msdn.microsoft.com/en-us/library/ms977327.aspx
" By knowing the creation and expiration time, a receiver can decide if the data is new enough for its own use or if the data has become so stale that the message should be discarded. "
- In case I'm asked, is it possible to make the timestamp mandatory?
YES , as explained above it is your service logic that need to do that , easiest way is to add an interceptors in WCF processing pipeline that will check for this headers and if not found it throws an error http://msdn.microsoft.com/en-us/magazine/cc163302.aspx