Web Services SecurityCore Issues

Security has become the most important focus in Web services because it is necessary to ensure that exposed Web servicesbased business transactions and processes are secure, reliable, and available to the service consumers. From a business perspective, it becomes mandatory to protect and safeguard the exposed services in order to achieve and maintain customer confidence as well as avoid the dangers of being a Web services provider or a consumer. To deliver Web services security, it becomes essential to adopt XML-based security standards and technologies to support security services such as authentication, authorization, trust policies, transport security, message-level security, single-sign-on, identity management, and identity federation.

Before delving into Web services security standards and technologies, it is important to understand the known security threats, vulnerabilities, and risks associated with Web services.

Web ServicesThreats, Vulnerabilities, and Risks

As Web services have evolved, they have offered some compelling benefits over other Web-based applications. However, these advantages come along with known security threats and risks. These risks involve threats to the entire host network, including Web-services providers, consumers, intermediaries, data, users, applications, and systems infrastructure. While developing Web services architecture, it is important to proactively investigate and pinpoint known security loopholes. Then, mitigation strategies must be applied, and countermeasures must be implemented in order to fortify the exposed services.

Let's take a look at those known threats, vulnerabilities, and risk factors that will influence the decision on how to secure a Web services architecture and implementation.

Denial of Service (DoS) / XML Denial of Service (XML-DoS)

Denial of Service (DoS) attacks are attempts by an unauthorized user or a hacker to disrupt a Web-services provider and its exposed services by flooding them with useless traffic that consumes host system resources such as CPU, memory, network bandwidth, and so forth. These are fake service requests that are designed to take a long time to process, intended to generate faults, or targeted at preventing authorized users from accessing the service. DoS attacks result in significant losses due to outage of provider resources and exposed services. These attacks usually exploit the weaknesses in the application architecture and the host systems' infrastructure.

XML Web services were designed to use standard TCP/IP ports for XML traffic, port 80 for HTTP, and port 443 for SSL. Traditional firewalls are quite ineffective for inspecting XML traffic, because they do not provide support for detecting content-level threats. XML-DoS attacks are content-level vulnerabilities: an attacker makes use of malicious XML messages, manipulates parts of an XML document, or sends an oversized XML payload that can cause load-intensive operations at the target Web services endpoint. This causes those systems to crash or to consume an excessive amount of system resources, both of which result in the inability to respond to further requests or perform operations.

Man-in-the-Middle

Man-in-the-Middle (MITM) is an attack where the hacker acts as a Web-service intermediary that intercepts the communication and then accesses and modifies the messages between two communicating parties without the communicating parties knowing that the messages have been intercepted.

Message Injection and Manipulation

Message injection and manipulation is an attack on message integrity between a Web-service provider and the consumer. This is carried out by hackers who insert, modify, or delete parts of messages or attachments, which can push an XML parser to endless loops or transaction commit failures. The attacker also makes use of recursive elements or XML expressions (based on XPATH or XQUERY) or unrelated message attachments to perform unintended processing functions that lead to an endpoint failure. This attack usually comes after a MITM attack where the intruding intermediary generates forged service requests or sends forged server responses.

Session Hijacking and Theft

Some Web-services providers rely on using session identifiers during communication to identify service requesters. This usually leads to a potential security hole where a hacker can steal and use the session identifier information to hijack a session between the services provider and the consumer. In this attack, the hijacker sniffs the conversation or uses packet-capturing capabilities to obtain the session information from the communicating client peer. Based on the session identifier, the hijacker constructs forged service requests that affect the operational efficiency of a Web-services provider or a requester.

Identity Spoofing

Identity spoofing is an attack where a hacker uses the identity of a trusted service requester and sabotages the security of the services provider using forged service requests with malicious information. In this case, the services provider finds normal status and no security breach in the system. Although it is not trivial, from a business perspective, spoofing can cause significant losses due to false identity claims, refund fraud, and related issues.

Message Confidentiality

The threat to message confidentiality comes from eavesdroppers or after an intrusion attack by unauthorized entities. It is very important to use appropriate mechanisms to protect message confidentiality throughout the life cycle of Web services operations, including messages in transit or in storage. If these mechanisms are not used, messages will be available for viewing and interception by unintended recipients and intermediaries.

Replay Attacks

A replay attack is a form of DoS attack where an intruder forges a service request that has been previously sent to the service provider. In this case, the intruder fraudulently duplicates a previously sent request and repeatedly sends it for the purpose of causing the target Web services endpoint to generate faults that can cause failure and shutdown of the target's operations. Hackers usually use this attack as a first step in accessing the services provider in order to generate a fake session or to obtain critical information required for accessing services.

Message Validation Abuses

Most Web services security functions rely on XMLschema-based message validation for XML Encryption/decryption, XML Signature validation and security-tokens verification. These tasks generally require resource intensive XML processing. Hackers abuse message validation mechanisms by sending malformed messages or abnormal payload of encrypted content or non-compliant messages that can cause endless loops that compromise service performance and contribute to transaction failures.

XML Schema Tampering

In a Web services scenario, XML Schemas play a vital role in defining XML vocabularies in an XML message. They help to verify that an XML message is well-formed and valid. XML Schemas are liable to attacks because they are usually made publicly accessible. Using that as a potential loophole, the attacker alters the externally referenced XML schemas with erroneous and inconsistent information. This affects Web services endpoint with processing overheads and failures related to message validation and verification.

WSDL and UDDI Attacks

WSDL descriptions and public UDDI registries provide most service-related information in a self-describing XML format that reveals the service location and its exposed operations. The attacker makes use of publicly accessible UDDI or WSDL information to identify the service provider location and then performs a number of operations with arbitrary input and output parameters using malformed data. The attacker may also inflict changes by tampering with WSDL descriptions that affect creation of client-side artifacts to support service requesters.

Furthermore, from an end-to-end Web services perspective, the complexity of security threats and risks adds more difficulty to the tasks of user authentication, access control rules and policies, non-repudiation, identity management, service provisioning, and so forth. In real-world Web services, it becomes very important to address these security issues so that they do not interfere with the benefits and successes of Web services adoption in business organizations.