ASP.NET webservice security? [closed]-CodePudding

Closed. This question needs to be more focused. It is not currently accepting answers.

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 3 days ago.

An edit was submitted for review 3 days ago and failed to reopen the post:

Needs more focus Update the question so it focuses on one problem only by editing this post.

Improve this question

We have an asp.net public webservice for existing customers to order a product:

https://www.example.com/webservices/customers/webservice.asmx?op=OrderProduct

Some of the fields are:

  <CustomerEmailAddress>string</CustomerEmailAddress>
  <CustomerPassword>string</CustomerPassword>
  <ProductCode>string</ProductCode>
  <Quantity>string</Quantity>
  <Color>string</Color>

We use the CustomerEmailAddress and CustomerPassword to check if the customer is legitimate.

Question: How can we stop a non-customer from trying to guess the CustomerPassword and CustomerEmailAddress (including malicious automated scripts to do so)?

We had thought of locking the customer account after 100 incorrect password attempts but if some script tried to guess it then a legitimate customer may have their account blocked (even though it wasn't them trying to access it).

We had also thought of counting access attempts by IP address but we're not sure if someone could forge an IP address. Also we're not sure what happens if they distribute the script to thousands of computers.

UPDATE

I think rather than focus on or punish a particular CustomerEmailAddress, I could simply focus on an IP address that repeatedly gets CustomerEmailAddress or CustomerPassword wrong. E.g. after 100 fails, block the IP for a day. Then a week etc.

That way a particular CustomerEmailAddress won't have their account blocked.

CodePudding user response：

2-factor authentication would have my vote too, best security.

If email/sms/text not possible Time-based One-Time Password could be an option.

The 100 attempts IP block, could be made temporary:

First 100 fail tries lock for X minutes.

Second 100 fail tries lock for X*2 minutes.

etc.

If successful, reset count

CodePudding user response：

Possibly the Update in the original question could suffice:

UPDATE

That way a particular CustomerEmailAddress won't have their account blocked.

CodePudding user response：

You can use 2-factor authentication on time of login by sending OTP to customer's email addresses or SMS on their registered number. This will help identify if any attempt is malicous.