.png?sv=2022-11-02&spr=https&st=2025-06-05T00%3A40%3A12Z&se=2025-06-05T00%3A50%3A12Z&sr=c&sp=r&sig=7hl8fcBb%2BRh%2BFuftyNXKkSAFV74nMARHlWblwEN9xDQ%3D){kind=logo}
Other Information
- DarkLight
Other Information
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
WSDL Files
XML-formatted Web Services Description Language (WSDL) file helps understand how to structure requests to the web service. This information is very useful to developers, especially for those who create clients for public web services. However, revealing detailed information about the functionality of private web services increases the risk that the web service could be misused by a malicious attacker. To prevent such malicious attacks, we can disable the WSDL generation by ensuring these web services are not resident on the application server.
To disable WSDL file generation, open the web.config of LCMService and LCMWebservice components with a suitable editor. These files are located at <AE Install Folder>/AE/LCMService and <AE Install Folder>/AE/LCMWebService, respectively. Go to the following section:
<behaviors>
<serviceBehaviors>
<behavior name="ValidatorBehavior">
<serviceMetadata httpGetEnabled="False" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>Ensure that the highlighted httpGetEnabled property is set to False. WSDL file is shipped separately as part of product deliverable.
Note:
Add the above section to the web.config files if not available.
HTTPS
For enhanced safety, Campaign Manager’s application and Workspace can both be configured to communicate in a secure manner, over SSL. This ensures all the data transmission between the browser and the Campaign Manager application server is encrypted.
Server-Side Validation
Campaign Manager performs server-side validation using .NET Framework filters for authorization. The application validates the token received from the request and checks for valid rights. If the application encounters an unauthorized resource, it returns HttpStatusCodeResult (HttpStatusCode.Unauthorized).
Logging
As part of audit trail, user login or logout activities are captured in the Campaign Manager application logs:
Client IP address is logged at login.
Logout requests from a client user is logged. However, during client log out, the Windows Server Fail-over Clustering IP addresses are stored in the logs.
Sensitive Information Disclosure
Sensitive information like password is masked in the Campaign Manager application. For example, while retrieving an existing user’s information, the application does not retrieve the exact password from the database to display on the screen instead, it is retrieved and masked internally as ********. When the user password is changed as part of the user information edit, the new password is encrypted and updated to the database.
The only exception is under the Application Parameter configuration, the password is not masked internally since it is required to connect and validate with the RDS database.
Authorization Bypass or Privilege Escalation
All JSON requests or responses handling sensitive data are completely encoded. Users, therefore, cannot manipulate responses.
Encoding Requests and Responses
Encoding sensitive requests and responses ensures security from the following risks:
License bypass—users without license are not logged in.
User enumeration is carried out properly via audit trail.
Abuse of application logic averted.
Cross-site Request Forgery
For every HTTP post message, the application validates the token available in the header. This prevents an attacker tricking a legitimate user into submitting an action on behalf of the attacker.
Was this article helpful?