Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

Hey Luis, hope you are well. Added some comments for you:

1. As an anonnymous user: I can go to _vti_bin/DWS.asmx, and see the contract of the services, according to the client thats a vulnerability, is it? Not really, as you cannot interact with it. To change that you can add web.config entries to make it so that it prompts for authetication when someoine trieds to access that. This is done using something like this where you are allowing Auth'd users and blocking Anonymous, or just set it to allow Auth'd users. Of course you need to test this:

<location path="_vti_bin/DWS.asmx">
<system.webServer>
<security>
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</security>
</system.webServer>
</location>

2. Same applies for people.asmx

Same thing can be done here too. 

3. When logged in as a Forms Based Authentication User, then with SOAPUI, those users can interact with the services, retrieveing information from users. 

This is expected behaviour, as you are authneticated user and should be able to call into the services to retrieve data. You could once again modify who can get access to the endpoints using the same approach but this time, restrict to specific groups, roles or even accounts. Using something similar to this: <add accessType="Allow" roles="Administrators" />

Hope this helps.

Liam