Another common reason for vulnerabilities is the belief that security is the other guy’s responsibility, says Paul Henry, vice president of technology evangelism at Secure Computing, which provides gateway devices to help secure Web services. “Unfortunately, you’ll have a team that’s working on the front-end software, and a separate team on the back end,” he explains. “Both assume the other has taken care of security.” What’s more, enterprises tend to design Web service applications from scratch rather than buying them from vendors that have put them through rigorous testing.
Then there’s the multi-hop problem. Web services frequently pass messages through several intermediaries before they reach their final destination, undercutting technologies such as SSL, which secures connections only across the open Internet.
“The idea that you don’t know where your message is going to go actually causes a lot of issues with Web services,” says Rafat Alvi, senior architect in the office of the CTO at Sun Microsystems.
The verbosity of Web services, which are designed to be self-describing and self-discovering, also presents a problem for security professionals, says Danny Allan, director of security research at Watchfire, a provider of Web application security assessment products. “Web services notoriously give way more information in them than is typically expected,” he says.
Giving away the keys
The difficulty of securing Web services — and the inattention paid to its importance — can make seemingly hardened enterprises vulnerable to some of the oldest tricks in the security book.
A high percentage of Web services interact with databases. SOAP and XML make it easy to disguise malicious payloads, opening new avenues for buffer-overflow attacks, SQL-injection exploits, and other misdeeds targeting an enterprise’s most vital systems. Compounding matters, some of the machines exposed using Web services are legacy systems — old Windows NT boxes, for example — that are much more susceptible to attack than newer systems.
Click for larger view.
Meanwhile, new classes of exploits targeting Web services have been developed. They include SOAP array overflows, a new variation on buffer-overflow intrusions in which an attacker sends an XML request with an array length that exceeds what has been specified. Like conventional buffer overflows and SQL injections, SOAP array attacks are among the most serious because they can expose confidential data or allow code execution on an organization’s back end.
Other common Web service exploits include XML parser attacks, in which an infinite string leads to a denial of service, and XML external entity attacks, in which a request points to an invalid file, resulting in an error that may cause the Web service to give out information it shouldn’t disclose.