Tuesday, 21 May 2013

(grab a coffee first) Using AST to programatically create a Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx ASMX)

For this past week I worked on a way to intercept and change data returned from an C# ASMX web service (exposed via a WSDL)

After trying multiple options (including PostSharp), I found a way to:

Programatically use AST C# generation (from ICSharpCode.NRefactory and O2 Platform's FluentSharp.REPL APIs) to:

  • create a 'proxy' C# of  an ASMX with the same exposed web methods as the original one
  • by default the new proxy ASMX WebService will call the original WebService's method (think class A implements class B, with all methods in class A calling the base method from class B)
  • make it easy to extend the new ASMX WebService  C# code and change the data sent/received from/to the original WebService's methods.

While I was working on the solution, I created a number of (long) blog posts that explains in detail all the steps I took to create the 'proxy' C# of  an ASMX.

Here are they, ordered by creation date (so if you want to see the final result, look at the last one)
To give an idea on what is being described in the posts linked above, here is the script that creates the WebServices 'proxy' source files (all the way from the original WSDL)

The script shown above uses the API_ASMX_Proxy class...

...which uses AST manipulation technology like this:

... to programatically create this ASMX c# file:

...witch was used (with some extra code) to change the normal security guidance showed in CheckMarx CxClient desktop app (note the description shown for SQL Injection)

... with TeamMentor's  guidance (note the description shown for Command Injection):

I'm really happy with how this 'proxy generation' technique worked out, since it scales quite well, is easy to create and I think there are tons of places it could be used:

  • WebServices call monitoring/logging
  • Recording and replaying of WebServices calls (useful for UnitTest's mocking)
  • Security testing of WebServices (both to and from the WebServices)
  • Patching vulnerabilities that exist on particular WebServices methods