is my webservice secured using jQuery? experts help needed

Question

I'm a beginner using webservices with jquery, so pardon for asking dumm questions.

so the story goes like this. I have a new website that i build using jQuery, that call webservices as part of some ajax calls, for examples:

$.ajax({
                     type: "POST",
                     url: "/WSProxy.asmx/AddressLookup",
                     data: "{'query': '" + $('#location').val() + "'}",
                     contentType: "application/json; charset=utf-8",
                     dataType: "json",
                     success: function (data) {
                         $("#location").autocomplete(
                             {
                                 minLength:3,
                                 source: data.d
                             });
                     }

                 });

now, if i get it right, everyone now knows that i have a webservice that can be accessed through: http://www.mywebsite.com/WSProxy.asmx, and basically query against the functions that are being exposed and call them as he likes. my questions:

1. is that true? i my ajax/query code expose my webservices?
2. can i block/limit calls that are not being taken from my site, and if yes, how?

My site is using .NET / C# as the backend/middle-tier platform, and the webservice is also written in C#.

Please help.

Answer 1

you have to secure the service itself.

• put all security there by addition of sessions for authenticated caller inside a service responsible for security.

• for each call to your service exposed by javascript, you have to check through autentication service that is there any session for this person or not, if not block it....

Answer 2

1. is that true? i my ajax/query code expose my webservices?

Yes any Javascript and HTML is always exposed.

1. can i block/limit calls that are not being taken from my site, and if yes, how?

Yes and No. You can refer to the incoming HTTP request url but that can be faked.

So the rule is to not to try to expose any sensitive parts.

Answer 3

Basically everything you throw to Javascript and HTML is exposed. You can though secure it a bit anyway. You can check the refferer of the request to be sure it comes from you site, but the refferer can be faked if a webserver is used. Another thing we did on a similar project was to get the url of the webservice in a AJAX call so that it does not appear in the source code. As dumb as it is, it may stop some low level data harvesters.

If it is not a public resource, you can add some logging in.

Answer 4

Anybody looking at your AJAX calls will see what address and format your webservice uses, so yes, providing it will expose it (there is not much point to a service which is not exposed). You can make it harder to use it without visiting your site (e.g. you can put a token in the HTML code and require it to be present in the web service calls), but cannot fully prevent someone from writing code which will download a page from your site and then use your service while pretending to be a browser looking at that page.

Answer 5

Yes anybody can call your webservice (it's easy to learn, just look at firebug/developer tools to see what the browser does).

You can have the user log in before he can call the webservice. Or give him a token (like a CSRF token). Or design some signature mechanism (but then you have to know which arguments he's going to use).