Web services are not only the backbone of application interaction, but they can also be the Achille's heel of Web security. Be it their relative infancy or the assumption that only computers are used in the communication process, Web services are indeed the often-forgotten components of Web application security testing. It happens to the best of us, but Web services security is something no one can afford to overlook.
The problem with XML-based Web services -- as innocuous as they seem -- is that they are exposed to the very same types of input attacks that plain old Web applications are susceptible to:
- Command execution
- SQL injection
- XPath injection
- External entity manipulation
- Authentication cracking
In addition to input weaknesses, UDDI interfaces (both public and private) for Web services can also be discovered using Google queries and tools such as SOAPclient's UDDI Browser. Once they're found, they can be enumerated and anything's fair game.
There's also the business logic that can be gleaned by simply looking at the Web service's WSDL file. And none of these things is going to be protected against by the average firewall. This is especially true if SSL is used for the SOAP communications that take place during Web services interchanges.
To get your Web services vulnerability testing started, you have several choices among freeware/open source tools and commercial scanners. The free tools available for ferreting out Web services holes include WSDigger and OWASP WSFuzzer. Both are nice starting points, however, I've found that certain freeware and open source tools may not discover as many Web services vulnerabilities as the commercial alternatives. On the commercial side, I've used Acunetix Web Vulnerability Scanner and HP's WebInspect as seen in Figure 1. Notice the similarity between WebInspect's Web service scanner interface and the average Web application vulnerability scanner. You simply enter the link to the WSDL file, and off you go.
Figure 1: The Web services vulnerability scanner interface in WebInspect
Both Acunetix Web Vulnerability Scanner and WebInspect include Web services editors you can use for deeper analysis of XML responses and overall WSDL configuration. Other commercial alternatives for evaluating the security of Web services security include IBM's AppScan and Cenzic's Hailstorm.
Web services are essentially like standalone and discrete Web applications and they need to be treated as such. I can hardly imagine anything worse than a simple oversight such as a Web services flaw to ruin an otherwise reasonably secure Web application.
Whether you're developing a Web service or planning out a Web application assessment, make sure Web services security testing is included within the scope of your project.
Some basic solutions include using stronger authentication and limiting where SOAP connections originate. Also check out XML signatures, SAML, and XACML, and be sure to stay attuned to the developments around the WS-Security standards. In the end there are ways to protect Web services. But like any other application-layer protection mechanisms, it's going to take some effort from multiple sides of the house to make it happen.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and firstname.lastname@example.org.
This was first published in August 2008