Techniques in Attacking and Defending XML/Web Services

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

  • Firewalls are not aware of the xml content
  • Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
  • WSDL exposes the schema and message structure
  • Injection attacks are possible via the XML parameters
  • Data replay is still possible
  • Denial of service is still possible, especially with parameters
  • Authentication methods: Basic auth, SSL auth, WS-Security Tokens
  • Parameter injection can be used for SQL or filesystem exploits.

Gateways for security

If you have a web service you can use a gateway to help bolt-on protection after the fact. They can provide various forms of authentication, logging, and semantic forgery prevention.

This seems like an interesting idea, but also somewhat flawed. My (admittedly naive) opinion is that the protection should really be included at the application layer.

They then reviewed a bunch of different vulnerabilities and gave examples of how they could be solved with XML gateways.

There's been a lot of discussion at the conference about how "we need to get more developers here" and I think part of the problem is that a lot of the presentations are not developer topics. The presentations cover how to exploit, how to buy a product to put in front of the vulnerabilities to prevent problems, how to use applications to pen-test, what the vulnerabilities are, what a security friendly process looks like, but relatively little about how to write secure code to protect against these vulnerabilities.