Web Services Interface: Safety Issues

Web Services are a new set of standards with relatively new vendor implementations which raise network safety issues. There are many reasons why Web Services attacks are prone to happen. First of all, the Web services interface is a new type of API to existing and new applications.

Because Web Services are standardized, there is little "security through obscurity." There is very little proprietary about Web Services which greatly ease the access and consistency of access of Web Services. In addition, Web Services are human readable and self-describing. SOAP messages provide information and structure for each message. WSDL documents provide significant information about each Web Service, including where the service is, how to access it, what kind of information to send to it and what type of information you should expect to receive back. In some cases, it may reveal the tool that generates or hosts the Web Service. This provides significant information to a potential intruder to inappropriately access the service.

One might incorrectly assume that because Web Services are mostly intended for programmatic access that there is some security through obscurity or that the average end-user cannot access them. This is entirely incorrect. Microsoft Excel is an example of a tool everyone has that enables any user to easily communicate with a Web Service. Many user-friendly GUI-based tools can be downloaded to find, bind, analyze and exchange information with a Web Service. These tools enable attackers, without any programming experience, with the facility for hacking into a Web Services interface. Some of these tools can even SSL to a Web Service. Web Services traffic also tunnels through port 80 and port 443.

Summary: Existing Tools are Insufficient

The bottom line is that existing tools such as network firewalls provide little protection against Web Services traffic. They may provide some simple filtering capabilities but cannot provide consistent protection across a diverse set of Web Services. IDS systems can also catch some specific attacks and viruses but does not provide specific protections against XML-based attacks. Application firewalls typically provide protection only against HTML and browser-based attacks and not against the XML message stream. A more complete solution incorporating SSL and other security mechanisms is required.

For More Information

Learn why the Web Services interface is vulnerable to attack – and how to secure your services: investigate SOA management. Download the free white paper, SOA Primer: Comprehensive Runtime Governance from Actional