Why you should read comments in boilerplate WCF RIA Services code or hackers will read your names and passwords.

Because I am currently working on WCF RIA Services project, I was eager to dive into code that is generated from Silverlight Business application template. I have to commend team members on WCF RIA Services project @ Microsoft, because they have written many commnets (and they didn’t had to).

In one of that comments in Services subfolder of web application I saw something like this :

    // TODO: Switch to a secure endpoint when deploying the application.
    // The user's name and password should only be passed using https.
    // To do this, set the RequiresSecureEndpoint property on EnableClientAccessAttribute to true.
    // 
    // [EnableClientAccess(RequiresSecureEndpoint = true)]
    //
    // More information on using https with a Domain Service can be found on MSDN.

    /// 
 

 

    /// Domain Service responsible for authenticating users when they log on to the application.
    ///
    /// Most of the functionality is already provided by the AuthenticationBase class.
    ///
    [EnableClientAccess]
    public class AuthenticationService : AuthenticationBase<User> { }

Hmm, of course they knew why they created comment like this. So once again I fired up Fiddler and listened. I logged in to the Silverlight application and used word dusan (my name :)) as name and pwd. As you can see in attached file (saved request from Fiddler) there is my name and pwd in plaintext :

req

Everything is binary serialized with WCF tier but not encrypted and thus is HIGHLY recommended to use https that will take care of this. So when deploing your application, don’t forget to use https even in intranet environment. I definitely would.

Leave a Reply

Your email address will not be published. Required fields are marked *