Web Services Attacks and How to Avoid Them

Today's Web services threats are often the same as those suffered by standard Web applications: denial-of-service attacks, for example. In some cases, these Web services attacks are more challenging to prevent and treat in services environments vs. typical Web environments. In others, the nature of Web-services component architecture makes threat detection simpler. In still other cases, Web services present unique challenges in threat detection and amelioration.

Denial of Service

Web Service interfaces are much more heterogeneous and require more knowledge to protect. For instance, a Web Service providing simple information may be able to comfortably handle 1000 requests per second however, a loan approval application may only be able to handle at most 5 requests per hour. Sending a loan approval interface 10 requests per hour may constitute a denial of service attack but be undetectable by normal means, such as a firewall. Understanding and collecting data should help provide profile information on each service so that they can be protected from denial of service attacks.

Standard web services attacks can be altered slightly and applied more intelligently toward a Web Service

Standard web services attacks can be altered slightly and applied more intelligently toward a Web Service

DoS: In Detail

There are many types of denial of service mechanisms. The most common form of Denial of Service attack is to simply flood a system with more messages than it can handle. This can cause severe disruption to a system. Note that there are many other ways to perform denial of service attacks. A hacker can send very large attachments, or send overly long messages. Another interesting form of denial of service is to send a message with many encrypted elements or signed elements. Because cryptographic operations such as encryption and signing require significant processor resources, a service can be tied up handling these types of malicious messages.

Denial of service almost always results in unavailable systems. It can also result in systems crashing. Lost transactions as well as system integrity issues can be highly costly to fix.

There are other kinds of Web services attacks that can create a denial of service: Here, a message with a large number of encrypted elements is sent to overwhelm the processing of the receiving application and cause a denial of service.

There are other kinds of Web services attacks that can create a denial of service: Here, a message with a large number of encrypted elements is sent to overwhelm the processing of the receiving application and cause a denial of service.

Replay Attack

Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP or across different interfaces.

Buffer Overflow

With XML Web services, information about data parameters are exposed. In addition, much more data is likely to be sent between systems, creating the opportunity for buffer overflow attacks. For example, an attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Many legacy systems that will be Web Service-enabled are designed for controlled, well behaving requests and may not be prepared to handle unusual requests.

Similar to buffer overflow attacks, hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

In Detail

In a buffer overflow situation, an overly long input string may not be gracefully handled by the receiving service or application behind the service. Buffer overflows can be on a particular element or field or on the message as a whole. If the receiving system is not prepared to handle unexpected field and message lengths, the application may be compromised. The application may crash, causing access to the system or possible downtime.

Web Services Attacks III (Buffer Overflow): A large value is placed in parameter1 and sent to a receiving application that may not be prepared to handle an overly long string

Web Services Attacks III (Buffer Overflow): A large value is placed in parameter1 and sent to a receiving application that may not be prepared to handle an overly long string

Dictionary Password Attacks

Many systems have weak password protection and Web Service interfaces are no different. However, unlike portals, XML Web Service interfaces are heterogeneous in nature with each system having its own authentication system and methods for deterring undesired behavior. Dictionary attacks are common where a hacker may either manually or programmatically attempt common passwords to gain entry into a system or multiple systems. Administrators should ensure that passwords are difficult to guess and are changed often. Unlike standard user credentials, application credentials are determined by the administrator. Password-strengthening user rules should also apply to internal employees: administrators of Web Service interfaces.

DPA: In Detail

Dictionary password attacks are a common way to attempt to gain access to a system. By repeatedly trying very common usernames and password combinations, systems can be compromised because many administrators pick weak username and password combinations. This can result in unauthorized access to systems.

Web Services Attacks IV (Dictionary Password Attack): Various common password combinations are repeatedly tried to gain access to the backend system. SCOTT/TIGER, for instance, is a common demo username/password for Oracle databases.

Web Services Attacks IV (Dictionary Password Attack): Various common password combinations are repeatedly tried to gain access to the backend system. SCOTT/TIGER, for instance, is a common demo username/password for Oracle databases.

Web Services Threats: Detection

XML Web Service interfaces provide attackers with a larger number of interfaces and a larger variety of methods to compromise systems. Each interface may have many multiple operations that can be accessed in many different ways and attackers have access to more information in the form of WSDL files and UDDI entries. Because Web services are application interfaces, the variety and scope of threats are much harder to detect.

A standard method of threat detection is to set up "honey pots" which are harmless services that attract unauthorized access. For instance, a "payroll" service may be desirable to a hacker but simply provide bogus information while secretly collecting valuable data and alerting the security team.

Summary: Locating Intrusions

Proactively securing all of the possible misuses of Web services is a difficult task. Security policies and strict access control management should help reduce the occurrence of intrusion. In addition, strong data collection and statistical analysis of behavior can help detect anomalous behavior.

For More Information

Be ready! Take a proactive approach to Web services attacks: read the free white paper, Web Services Risks: Threats and Security

Learn How to Avoid Web Services Attacks

Download the free white paper, "XML Web Services Security — Going Production," now.

Note: The items in BOLD are required fields. You must supply a valid email address to complete the registration.


First Name
Last Name
Company
Title
Job Category
Industry
Email
Telephone
Address 1
Address 2
City
Country
State/Prov
Postal Code