February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Andre Yee
Andre Yee's Security Insider
 An open dialogue about security and compliance for the enterprise.

« Threat Protection for Web Services - Transactional Issues | Main | Privacy, Information Theft and Security »

June 21, 2006
Threat Protection for Web Services - XML

Attacks on Web Services are often targeted at XML based content. Here are some of the more significant XML based attacks:

Recursive payload attack - the attacker takes advantage of the nesting supported within XML. One of the strengths of XML is its ability through nesting to efficiently address complex, hierarchical relationships between data elements. With the recursive payload attack, an XML document is created with very deep nesting of data elements, thousands of elements deep or where the nesting is recursive. Many of the older XML parsers would choke on this, essentially leading to a denial of service.

Jumbo Payload attack - Essentially exploiting a poorly written parser that is unable to process an exceedingly large XML document leading to a denial-of-service. This has become less of an issue as parsers, are now better able to handle larger payloads and have the correct exception handling if the document is too big.

XQuery Injection - An XML variant to the SQL injection technique. XQuery is a language designed to permit querying and format XML data. An attacker may inject XQuery as part of a SOAP message causing a SOAP destination service to manipulate an XML document incorrectly.

XML Morphing - Involves changing/manipulating XML docs into a form that XML processor cannot handle.

WSDL Enumeration - Web Services Description Language is used to describe the services and how to engage the methods for these services. By enumerating and parsing through WSDL , someone could get info about other methods that may have restricted access or a deduce how to compromise a service through a backdoor unpublished method.

Schema Poisoning – Modifying the schema referenced by an XML document in a manner that is inconsistent with the document - causing the processor to choke on the document.

These are just a sampling of XML based attacks that can be perpetrated against your web service deployment.
Here are a couple of steps to take to protect against such threats.

First, validate and version control XML Schemas. Second, encrypt XML content. Third, inspect incoming and outgoing XML through use of XML based firewall or IPS equipped to handle such inspection. It's not foolproof but it's a start toward better security for web services.

Posted by andreyee in web services security |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/404

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
RSS Subscription

Recent Posts
Categories
Archives
Blog Roll
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map