Tampering

Tampering is the act of altering a message, or the delivery of a message, and using the altered message for a purpose other than what it was intended for.

Do Not Disable WS-Addressing

The WS-Addressing specification provides address headers on each message, allowing a message recipient to verify the sender of the message. You can disable this feature by setting the Addressing property to None.

When the security mode is set to Message, and if WS-Addressing is disabled, an attacker could take a request from a client and send it to another service, and the second service has no way of detecting that the message came from the original client. In effect, the first service can pretend that it is a client when talking to the second service.

To mitigate this, never set the Addressing property to None, and avoid the use of MessageVersion, such as the static Soap12 property, which sets the Addressing property to None.

See also

• Security Considerations
• Information Disclosure
• Elevation of Privilege
• Denial of Service
• Unsupported Scenarios
• Replay Attacks