Menu
SOA Security: The Basics

SOA Security: The Basics

Diving into Service Oriented Architecture? Vordel's Mark O'Neill covers basic SOA security threats and defenses--and explains how security helps increase SOA's business benefits.

Capture-replay attacks

Imagine this scenario: a service in an SOA is protected by a policy which ensures that service requests are digitally signed. This seems secure, but is it? The answer is that this system is vulnerable to a replay attack which simply replays a valid signed message, thus gaining unauthorized access.

The solution to this problem involves the usage of timestamps. The WS-Security standard includes support for timestamps, and WS-Policy can be used to mandate that a signed timestamp is present in incoming messages. A replayed message will therefore be detected based on its "stale" timestamp. The timestamp trust interval must be decided carefully. It must be short enough so that an attacker will not have time to capture, decrypt, and replay a valid message. But it must be long enough so that slight discrepancies between the system clocks of the Web Service and the Web Service requester do not result in valid messages being blocked.

Be careful not to confuse replay attacks with brute-force "flooding" Denial-of-Service (DoS) attacks. Although both involve a message being replayed, the DoS attack is designed to overwhelm and disable the target system, whereas the replay attack exploits a flaw in the target systems authentication scheme.

XML External Entity Attack

The "XML External Entity" attack which takes advantage of the fact that outside data can be embedded into an XML document via a DTD [Document Type Definition] entry. By specifying a local file, some XML engines could be made to access unauthorized information from the local file system. Note that SOAP is not allowed to use DTDs.

XPath Injection

It is likely that XPath Injection, which is analogous to SQL Injection, can be used to "harvest" information from an XML database. XPath injection can be blocked by ensuring that data passed into an XPath expression does not itself contain XPath.

XML Denial-of-Service (XDoS)

This attack exploits a feature of DTDs, namely the ability to pull in entities which are defined in a DTD. By pulling in entities recursively, an attacker can make an XML message which explodes in memory (hence the term "XML bomb") and causes a denial-of-service.

Harmful SOAP attachments

Just like email messages, SOAP messages may contain attachments. These attachments may be threatening if they are very large and difficult to process (e.g. a "clogging attack"), or if they harbor viruses. The solution is to ensure that SOAP attachments are either (a) blocked, (b) filtered based on MIME-type, or (c) passed through a virus scanner.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags SOA

More about Amazon Web ServicesCA TechnologiesetworkGatewayGoogleSDLUDDIVordel

Show Comments
[]