Abstract:
Publicly exposing information about a service can provide attackers with valuable insight into how they might exploit the service.
Explanation:
The <serviceMetadata> tag enables the metadata publishing feature. Service metadata could contain sensitive information that should not be publicly accessible.
Recommendations:
At a minimum, only allow trusted users to access the metadata and ensure that unnecessary information is not exposed.
Better yet, entirely disable the ability to publish metadata. A safe WCF configuration will not contain the <serviceMetadata> tag.
0 comments:
Post a Comment