Andre Yee's Security Insider« Web Services Security - In the Beginning... | Main | Threat Protection for a Service Oriented World »
June 01, 2006Web Services Security - Web Application Threats
As web applications increased in sophistication, potential exploits evolved in complexity as well. Here is a sampling of the threats that are often perpetrated against these applications:
SQL injection - where an attacker would append SQL statements to an entry in a web based form to take advantage of a possible coding flaw whereby the SQL statement would inadvertantly be executed. The SQL statement would then yield valuable information from the web application database.
Cookie manipulation - the attacker manipulates parameters of an existing or harvested cookie to gain access and compromise a system
Cross-site scripting where the server processes a malicious script, leading to web defacement, cookie harvesting or other generally bad stuff.
Other threats that assail newer web applications include XML based attacks that target the applications ability to process malformed or non-conformant XML documents.
How does one protect against these threats from an enterprise security perspective?
Conducting regular security audits and building a "defense-in-depth" approach to your security architecture are important ingredients to any secure enterprise. It is important that security audits include code level inspection of your web application to ferret out command injection or buffer overflow vulnerabilities. However, specifically to web application security, one should supplement with XML inspection conducted either as part of an XML firewall or an IPS that has incorporates that capability.
While doing the above will allow your security administrator to sleep easier at night, it doesn't necessarily mean that you're equipped to make the transition to securing your web services architecture.
Posted by andreyee in
web services security
|
Digg This|
Add to del.icio.us
Trackback Pings
TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/338
Can you tell us more about XML based attacks.
Posted by: jacob at June 8, 2006 04:39 PM
Sure...I plan to cover it as I discuss web services security over the next three posts. It'll show up sometime over the next week or so.
Stay tuned. :-)
Posted by: andre yee at June 9, 2006 02:52 PM
Hi Andre,
I have been thinking about this lately as well and have put together some thoughts about how you might provide defense-in-depth protection for a typical Web services environment. Basically, I try and cover the issues and trade-offs you need to consider when you're putting together your security architecture for an XML-based Web services deployment.
You can find the whole (rather long) discussion here: http://atownley.org/2006/06/are-xml-gateways-really-the-answer/.
Cheers,
ast
Posted by: ast at June 12, 2006 07:15 AM
Post a comment
