Web security: Web services an overlooked entry point for attacks

Web services are not only the backbone of application interaction, but they can also be the Achille's heel of Web security. Be it their relative infancy or the assumption that only computers are used in the communication process, Web services are indeed the often-forgotten components of Web application security testing. It happens to the best of us, but Web services security is something no one can afford to overlook.

The problem with XML-based Web services -- as innocuous as they seem -- is that they are exposed to the very same types of input attacks that plain old Web applications are susceptible to:

In addition to input weaknesses, UDDI interfaces (both public and private) for Web services can also be discovered using Google queries and tools such as SOAPclient's UDDI Browser. Once they're found, they can be enumerated and anything's fair game.

There's also the business logic that can be gleaned by simply looking at the Web service's WSDL file. And none of these things is going to be protected against by the average firewall. This is especially true if SSL is used for the SOAP communications that take place during Web services interchanges.

To get your Web services vulnerability testing started, you have several choices among freeware/open source tools and commercial scanners. The free tools available for ferreting out Web services holes include WSDigger and OWASP WSFuzzer. Both are nice starting points, however, I've found that certain freeware and open source tools may not discover as many Web services vulnerabilities as the commercial alternatives. On the commercial side, I've used Acunetix Web Vulnerability Scanner and HP's WebInspect as seen in Figure 1. Notice the similarity between WebInspect's Web service scanner interface and the average Web application vulnerability scanner. You simply enter the link to the WSDL file, and off you go.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Software security testing tools Commonly-overlooked security flaws in rich Internet applications 10 steps to acing Web app security assessments New tools target software QA, testing: Spring roundup Hack maliciously to boost your software's security What is fuzz testing? What are some ways to use fuzz testing? Why the quality assurance department should be involved in testing Using the Firefox Web Developer extension to find security flaws Top tools for testing Web application security Static analysis tool helps software engineers find bugs during builds Automated security tool finds flaws in enterprise apps Web services security Why are Web services more vulnerable than Web apps? XML security: Preventing XML bombs Ajax's effect on Web services security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

> [TABLE]

Figure 1: The Web services vulnerability scanner interface in WebInspect

Both Acunetix Web Vulnerability Scanner and WebInspect include Web services editors you can use for deeper analysis of XML responses and overall WSDL configuration. Other commercial alternatives for evaluating the security of Web services security include IBM's AppScan and Cenzic's Hailstorm.

Web services are essentially like standalone and discrete Web applications and they need to be treated as such. I can hardly imagine anything worse than a simple oversight such as a Web services flaw to ruin an otherwise reasonably secure Web application.

Whether you're developing a Web service or planning out a Web application assessment, make sure Web services security testing is included within the scope of your project.

Some basic solutions include using stronger authentication and limiting where SOAP connections originate. Also check out XML signatures, SAML, and XACML, and be sure to stay attuned to the developments around the WS-Security standards. In the end there are ways to protect Web services. But like any other application-layer protection mechanisms, it's going to take some effort from multiple sides of the house to make it happen.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog

Rate this Tip To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.