SOA and Web Services: New Technologies, New Standards - New Attacks

Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker's side. In this paper we present a list of vulnerabilities in the context of Web Services. To proof the practical relevance of the threats, we performed exemplary attacks on widespread Web Service implementations. Further, general countermeasures for prevention and mitigation of such attacks are discussed.

[1]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[2]  Tony Andrews Business Process Execution Language for Web Services Version 1.1 , 2003 .

[3]  Nils Gruschka,et al.  A Stateful Web Service Firewall for BPEL , 2007, IEEE International Conference on Web Services (ICWS 2007).

[4]  Welf Löwe,et al.  Lazy XML processing , 2002, DocEng '02.

[5]  Jonathan Robie,et al.  Editors , 2003 .

[6]  Giovanni Della-Libera,et al.  Web Services Security Policy Language (WS-SecurityPolicy) , 2002 .

[7]  Nils Gruschka,et al.  WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls , 2006 .

[8]  Nils Gruschka,et al.  Protecting Web Services from DoS Attacks by SOAP Message Validation , 2006, SEC.

[9]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[10]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[11]  Nils Gruschka,et al.  Event-Based SOAP Message Validation for WS-SecurityPolicy-Enriched Web Services , 2006, SWWS.

[12]  Andrew D. Gordon,et al.  An advisor for web services security policies , 2005, SWS '05.

[13]  Marc Hadley,et al.  Web Services Addressing 1.0 - SOAP Binding , 2005 .

[14]  Günter Schäfer Sabotageangriffe auf Kommunikationsinfrastrukturen: Angriffstechniken und Abwehrmaßnahmen , 2005, PIK Prax. Informationsverarbeitung Kommun..

[15]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[16]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[17]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[18]  Roger M. Needham,et al.  Denial of service: an example , 1994, CACM.