Cracking Drupal - web services http://crackingdrupal.com/taxonomy/term/43/0 en Techniques in Attacking and Defending XML/Web Services http://crackingdrupal.com/blog/greggles/techniques-attacking-and-defending-xmlweb-services <p>Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.</p> <h3>Review of the problems with XML/Web services</h3> <p>Still have all the normal problems.</p> <ul> <li>Firewalls are not aware of the xml content</li> <li>Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.</li> <li>WSDL exposes the schema and message structure</li> <li>Injection attacks are possible via the XML parameters</li> <li>Data replay is still possible</li> <li>Denial of service is still possible, especially with parameters</li> <li>Authentication methods: Basic auth, SSL auth, WS-Security Tokens</li> <li>Parameter injection can be used for SQL or filesystem exploits.</li> </ul> <h3>Gateways for security</h3> <p>If you have a web service you can use a gateway to help bolt-on protection after the fact. They can provide various forms of authentication, logging, and semantic forgery prevention.</p> <p>This seems like an interesting idea, but also somewhat flawed. My (admittedly naive) opinion is that the protection should really be included at the application layer.</p> <p>They then reviewed a bunch of different vulnerabilities and gave examples of how they could be solved with XML gateways.</p> <p>There's been a lot of discussion at the conference about how "we need to get more developers here" and I think part of the problem is that a lot of the presentations are not developer topics. The presentations cover how to exploit, how to buy a product to put in front of the vulnerabilities to prevent problems, how to use applications to pen-test, what the vulnerabilities are, what a security friendly process looks like, but relatively little about how to write secure code to protect against these vulnerabilities.</p> http://crackingdrupal.com/blog/greggles/techniques-attacking-and-defending-xmlweb-services#comments security web services xml Fri, 13 Nov 2009 21:33:42 +0000 greggles 46 at http://crackingdrupal.com