Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why are Web services more vulnerable than Web apps?

Web application security should be adapted to fit the unique needs to Web services. Expert Rami Jaamour explains how Web services security differs from traditional application security.

Why are Web services potentially more vulnerable to security problems compared to traditional Web applications?
A Web service is a software application that makes certain functionality available for consumption by other applications. Unlike a Web site that allows a human to interact with an application remotely via a Web browser; a Web service is used to allow other applications to interact with it. W3C is the consortium that governs the core Web services standards such as XML, XML Schema, WSDL, SOAP, etc. OASIS is another organization that governs standards that complement the core W3C standards to address e-business concerns such as security and reliability, e.g. WS-Security.

The standards from those two organizations mostly deal with Web service message or description formats, which leaves Web services agnostic to the transport they use. In other words, SOAP messages can be transferred along different transport mechanisms such as HTTP and JMS. This property, combined with the open standards, vendor-neutral nature of Web services, makes Web services particularly attractive for integration and service-oriented architecture (SOA) initiatives internally and externally.

However, Web services, if not secured properly, can pose security threats that may extend beyond those of traditional Web applications. These weaknesses result from some Web services' greatest strengths:

  1. Web services are often deployed over HTTP, port 80. This allows the service provider and consumers to communicate across network boundaries without needing to poke special holes in corporate firewalls. Although that makes them easier to access, this practice relieves Web service traffic (usually SOAP XML messages) from the scrutiny of firewalls and network appliances, especially since most such appliances are often not aware of the Web services traffic disguised under HTTP.

  2. Typically, a Web service that is useful and reusable exposes the internal workings of the application much more than a traditional Web site or a point-to-point integration mechanism such as CORBA or RMI would. Such internal API exposure opens up more doors on denial of service, broken access control or other application-specific attacks. In a Web site, the business flow logic is usually constrained by the Web interface that exposes the functionality to the user, but in a Web service the message interaction scenarios are left to the consumers.

  3. Web services application security:
    The importance of WS-Security

    XML security: Preventing XML bombs

    Understanding XPath injection
  4. Although core Web services technologies have reached a certain level of maturity, they are still relatively new. As with most new technologies, history shows that security issues are often overlooked early in the game. There are several Web services-specific vulnerabilities and concerns that need to be taken into consideration such as XML Bombs and XPath injections. Developers need to be aware of those threats in order to protect against them properly.

These factors do not mean that Web services are insecure or that you should not adopt them, but you should be aware of these issues so the risks can be mitigated. Web services security awareness, combined with proper design, development and testing practices, can certainly provide secure Web services.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.