I have WCF service coded using visual studio and C# that contains one method
public interface IMyService
{
[OperationContract]
SendDataResponse SendData(SendDataRequest Request);
}
the data contact for this method includes
[DataContract]
public class SendDataRequest{
[DataMember]
public int ID { get; set; }
[DataMember]
public String Name { get; set; }
}
[DataContract]
public class SendDataResponse
{
[DataMember]
public int Code { get; set; }
[DataMember]
public String Message { get; set; }
}
the binding for this service is custom binding with these options
<binding name="CustomSoapBinding">
<security includeTimestamp="false"
authenticationMode="UserNameOverTransport"
defaultAlgorithmSuite="Basic256Sha256"
keyEntropyMode="ServerEntropy"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true"
requireSignatureConfirmation="true"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11">
<readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="2147483646" maxBytesPerRead="4096" maxNameTableCharCount="5242880"/>
</textMessageEncoding>
<httpsTransport maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000" />
</binding>
I can test using SoapUI without any problem , The soap message is
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tah="http://schemas.datacontract.org/2004/07/Tahseel.LoaderWcfService" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:SendData>
<tem:Request>
<tah:ID>123</tah:ID>
<tah:Name>Test</tah:Name>
</tem:Request>
</tem:SendData>
</soapenv:Body>
</soapenv:Envelope>
now the problem when the untrusted soap message contain any vulnerable text received via the endpoint the service will receive and start deserialize before validate it that may cause security attack to the system .
how to prevent deserializing untrusted user input?