Support us .Net Basics C# SQL ASP.NET Aarvi MVC Slides C# Programs Subscribe Download

Part 14 - Risks of implementing IExtensibleDataObject interface

Suggested Videos
Part 11 - Difference between datacontract and messagecontract in wcf
Part 12 - Backward compatible WCF contract changes
Part 13 - ExtensionDataObject in WCF



In Part 13, we discussed, how to implement IExtensibleDataObject to preserve unknown elements during serialization and deserialization of DataContracts. Please watch Part 13, before proceeding.

The downside of implementing IExtensibleDataObject interface is the risk of Denial of Service attack. Since, the extension data is stored in memory, the attacker may flood the server with requests that contains large number of unknown elements which can lead to system out of memory and DoS.



How to turn off IExtensibleDataObject feature?
One way is to remove the implementation of IExtensibleDataObject interface from all the DataContracts. This should work fine as long as we have a few data contracts on which IExtensibleDataObject interface is implemented. The downside of changing the application code is that we have to rebuild and redeploy services to the production server.

What if there are large number of DataContracts that have implemented IExtensibleDataObject interface?
IExtensibleDataObject can be enabled or disabled using service behavior configuration as shown below. With this option later if we want to enable support, all we need to do is set ignoreExtensionDataObject to false
<behaviors>
  <serviceBehaviors>
    <behavior name="ignoreExtensionData">
      <dataContractSerializer ignoreExtensionDataObject="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>

This can also be done programatically using ServiceBehaviorAttribute. Set IgnoreExtensionDataObject property to true.
[ServiceBehavior(IgnoreExtensionDataObject = true)]
public class EmployeeService : IEmployeeService

When IExtensibleDataObject feature is turned off, the deserializer will not populate the ExtensionData property.

wcf tutorial

No comments:

Post a Comment

It would be great if you can help share these free resources