Then there’s the multi-hop problem. Web services frequently pass messages through several intermediaries before they reach
their final destination, undercutting technologies such as SSL, which secures connections only across the open Internet.
“The idea that you don’t know where your message is going to go actually causes a lot of issues with Web services,” says Rafat
Alvi, senior architect in the office of the CTO at Sun Microsystems.
The verbosity of Web services, which are designed to be self-describing and self-discovering, also presents a problem for
security professionals, says Danny Allan, director of security research at Watchfire, a provider of Web application security
assessment products. “Web services notoriously give way more information in them than is typically expected,” he says.
Giving away the keys
The difficulty of securing Web services — and the inattention paid to its importance — can make seemingly hardened enterprises
vulnerable to some of the oldest tricks in the security book.
A high percentage of Web services interact with databases. SOAP and XML make it easy to disguise malicious payloads, opening
new avenues for buffer-overflow attacks, SQL-injection exploits, and other misdeeds targeting an enterprise’s most vital systems.
Compounding matters, some of the machines exposed using Web services are legacy systems — old Windows NT boxes, for example
— that are much more susceptible to attack than newer systems.
“The same issues we have been dealing with for the last five years can all be manifested through these new technologies,”
says Tom Parker, senior manager in the professional security service group at Verizon Business.
Meanwhile, new classes of exploits targeting Web services have been developed. They include SOAP array overflows, a new variation
on buffer-overflow intrusions in which an attacker sends an XML request with an array length that exceeds what has been specified.
Like conventional buffer overflows and SQL injections, SOAP array attacks are among the most serious because they can expose
confidential data or allow code execution on an organization’s back end.
Other common Web service exploits include XML parser attacks, in which an infinite string leads to a denial of service, and
XML external entity attacks, in which a request points to an invalid file, resulting in an error that may cause the Web service
to give out information it shouldn’t disclose.
Defensive measures
Although Web services raise risks, organizations that open XML channels need not fall victim to security breaches if they
take proactive measures.
The obsolescence of perimeter security is hardly new, but the notion gains greater relevance in the world of Web services.
“When people think, ‘Where does my security happen, where is my edge?’ — the edge has gone all fuzzy now,” iSec’s Stamos says.
“Now the edge of your network is on this Web service system, but it’s also on this mainframe, and it’s also on this database,
and it’s also on all these things that people can now indirectly access through a big, federated Web service that you’ve set
up.”
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
