Web Services and SOA. The OWASP Foundation Laurent PETROQUE. System Engineer, F5 Networks

Similar documents
KINGS COLLEGE OF ENGINEERING DEPARTMENT OF INFORMATION TECHNOLOGY. (An NBA Accredited Programme) ACADEMIC YEAR / EVEN SEMESTER

7.1 Introduction. extensible Markup Language Developed from SGML A meta-markup language Deficiencies of HTML and SGML

Transport (http) Encoding (XML) Standard Structure (SOAP) Description (WSDL) Discovery (UDDI - platform independent XML)

Copyright 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Chapter 7 XML

Delivery Options: Attend face-to-face in the classroom or via remote-live attendance.

Delivery Options: Attend face-to-face in the classroom or remote-live attendance.

Copyright

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

COMP9321 Web Application Engineering

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Distributed Systems. Web Services (WS) and Service Oriented Architectures (SOA) László Böszörményi Distributed Systems Web Services - 1

XML: Extensible Markup Language

XML Web Service? A programmable component Provides a particular function for an application Can be published, located, and invoked across the Web

Java Web Service Essentials (TT7300) Day(s): 3. Course Code: GK4232. Overview

Web Services: Introduction and overview. Outline

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

MIS Systems & Infrastructure Lifecycle Management 1. Week 5 Feb 11, 2016

BRA BIHAR UNIVERSITY, MUZAFFARPUR DIRECTORATE OF DISTANCE EDUCATION

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CA SiteMinder Web Services Security

COMP9321 Web Application Engineering. Extensible Markup Language (XML)

Realisation of SOA using Web Services. Adomas Svirskas Vilnius University December 2005

Call: JSP Spring Hibernate Webservice Course Content:35-40hours Course Outline

M359 Block5 - Lecture12 Eng/ Waleed Omar

Citrix NetScaler AppFirewall and Web App Security Service

Glossary of Exchange Network Related Groups

Service Interface Design RSVZ / INASTI 12 July 2006

BPEL Research. Tuomas Piispanen Comarch

XML Applications. Introduction Jaana Holvikivi 1

Agenda. Summary of Previous Session. XML for Java Developers G Session 6 - Main Theme XML Information Processing (Part II)

11. EXTENSIBLE MARKUP LANGUAGE (XML)

C1: Define Security Requirements

XML: Introduction. !important Declaration... 9:11 #FIXED... 7:5 #IMPLIED... 7:5 #REQUIRED... Directive... 9:11

Web Services Security. Dr. Ingo Melzer, Prof. Mario Jeckle

Web service design. every Web service can be associated with:

What Are We Building?

Web Services. The Pervasive Internet

Automation for Web Services

SOAP, WSDL, HTTP, XML, XSD, DTD, UDDI - what the?

Oracle Developer Day

XML Web Services Basics

Distribution and web services

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

Introduction to XML. XML: basic elements

Introduction p. 1 An XML Primer p. 5 History of XML p. 6 Benefits of XML p. 11 Components of XML p. 12 BNF Grammar p. 14 Prolog p. 15 Elements p.

CHAPTER 2 LITERATURE SURVEY 2. FIRST LOOK ON WEB SERVICES Web Services

Application security : going quicker

Teiid Designer User Guide 7.5.0

Chapter 13 XML: Extensible Markup Language

A Signing Proxy for Web Services Security

Oracle. Exam Questions 1z Java Enterprise Edition 5 Web Services Developer Certified Professional Upgrade Exam. Version:Demo

Secure Development Guide

PART. Oracle and the XML Standards

Chapter 1: Getting Started. You will learn:

Web-services. Brian Nielsen

Programming Web Services in Java

Chapter 17 Web Services Additional Topics

Security Attack Ontology for Web Services

Developing Web Applications with Oracle and XML NYOUG General Meeting March 13, Jason Cohen

SERVICE-ORIENTED COMPUTING

Hacking Web Sites OWASP Top 10

WS-* Standards. Szolgáltatásorientált rendszerintegráció Service-Oriented System Integration. Dr. Balázs Simon BME, IIT

AD214 XML and Web Services with IBM Lotus Domino and IBM Rational Application Developer. Bob Balaban, Executive Consultant WPLC, IBM Software Group

Introduction and Overview Socket Programming Lower-level stuff Higher-level interfaces Security. Network Programming. Samuli Sorvakko/Nixu Oy

Australian Journal of Basic and Applied Sciences

IT6801-SERVICE ORIENTED ARCHITECTURE

Grid Computing. What is XML. Tags, elements, and attributes. Valid and well formed XML. Grid Computing Fall 2006 Paul A.

XML for Java Developers G Session 8 - Main Theme XML Information Rendering (Part II) Dr. Jean-Claude Franchitti

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

XML: Managing with the Java Platform

Announcements. Next week Upcoming R2

COURSE DELIVERY PLAN - THEORY Page 1 of 6

Applying Microservices in Webservices, with An Implementation Idea

WSDL. Stop a while to read about me!

COPYRIGHTED MATERIAL. Contents. Part I: Introduction 1. Chapter 1: What Is XML? 3. Chapter 2: Well-Formed XML 23. Acknowledgments

XML APIs Testing Using Advance Data Driven Techniques (ADDT) Shakil Ahmad August 15, 2003

extensible Markup Language (XML) Basic Concepts

XML databases. Jan Chomicki. University at Buffalo. Jan Chomicki (University at Buffalo) XML databases 1 / 9

Service Oriented Architecture

Goal: Offer practical information to help the architecture evaluation of an SOA system. Evaluating a Service-Oriented Architecture

WWW, REST, and Web Services

<Insert Picture Here> Click to edit Master title style

COMP9321 Web Application Engineering

Using Xml Schemas Effectively In Wsdl Design

Web Application Vulnerabilities: OWASP Top 10 Revisited

BEAAquaLogic Enterprise Repository. Automation for Web Services Guide

Introduction to XML the Language of Web Services

XML: some structural principles

XML. Jonathan Geisler. April 18, 2008

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

IT2353 WEB TECHNOLOGY Question Bank UNIT I 1. What is the difference between node and host? 2. What is the purpose of routers? 3. Define protocol. 4.

Forum XWall and Oracle Application Server 10g

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Copyright 2007 Ramez Elmasri and Shamkant B. Navathe. Slide 27-1

Lesson 6 Directory services (Part I)

SOAPSonar Enterprise User Guide. Version 6.5

Lecture 15: Frameworks for Application-layer Communications

Lecture 15: Frameworks for Application-layer Communications

Simple Object Access Protocol (SOAP) Reference: 1. Web Services, Gustavo Alonso et. al., Springer

Transcription:

Web Services and SOA Laurent PETROQUE System Engineer, F5 Networks OWASP-Day II Università La Sapienza, Roma 31st, March 2008 Copyright 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org

Agenda What are Web Services SOA What are the threats What is done in customers environments 2

Web Service Architecture 2 1 3 Service provider implements the service, publishes the service and provide the service Server requestor finds the service, and consumes the service Server registry centralized the services published by the service provider, and

Agenda What are Web Services? What is SOA? What are the threats? What are the solutions? What customers are doing with this and how do they protect it?

Web Service Architecture UDDI UDDI WSDL XML description XML-RPC SOAP XML 3 HTTP, SMTP, FTP Service provider implements the service, publishes the service using UDDI(Universal Description, Discovery, and Integration) to the Server registry Server registry centralized the services published by the service provider. Server requestor finds the service using UDDI, retrieve the WSDL(Web Service Description Language) and consumes the service. Server requestor send the message using a service transport.

SOA : Service Oriented Architecture

What are the base elements? HTTP Transports information between systems XML Precise how information are exchanged WDSL Enforce the compliance of the data part of the communications SOAP Enables and regulates communications between systems

Security and XML Attacks against an XML parser (mainly DOS eg forcing the parser to crash, to consume too much memory, etc) (re)definition When a DTD is included or is refered elsewhere, replace the DTD/XML schema attack the parser DOS again- via a problematic URI XXE (Xml external Entity) attack XXE attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be coerced to open arbitrary files and/or TCP connections.

Security and XML XML BOMBS XML document contains too many bytes XML document contains too many characters (one character doesn't necessarily translate to one byte...) Nesting depth too deep Too many elements Too many siblings to an element Too many attributes Too many namespaces Element/attribute/namespace-prefix/value too long (bytes? characters?) recursive nesting of elements (this is not well formed XML!) too many times opening and closing a tag (too many push/pop stack operations) entity resolution depth

Security and Web Services OWASP top 10 still apply to web services WSDL Enumeration/Scanning Gives useful source of information about web services. Sol: Determine the degree of exposure provided by the WSDL document. Parsing Exploits - SAX/DOM known common exploits on Vendor Framework - Custom parsers that are poorly written Sol: Do not implement custom parsers. Use SAX-based parsing whenever possible Validate the XML stream size before the XML parsing XML injection - XML can be injected through aplication - The user-input includes XML tags which are parsed Sol: Validation of the XML message

Security and Web Services XPath Injection Attacks - XPath is used to query XML documents, so like SQL, XPath is susceptible to injection. Sol: Validation of the XML message. XML Manipulation (i.e. CDATA Manipulation, etc) - DTD is dangerous as it can be defined internally, externally, or both. - CDATA can include non-legal characters in data. Sol: Use XSD to validate XML messages If a DTD is used, don t allow the DTD before the root element. Validation of the XML message

Specific patterns in an XML application Possibility to check for XML patterns. The patterns are specific to the customers architecture.

XML Format Enforcement NameSpace (NS) element Xml Message document children attribute attribute s value depth name

XML Format Enforcement A DTD defines the legal building blocks of an XML document A DTD can be embedded in an XML document A DTD can be referenced in an XML document Possibility to work with embedded and referenced DTD. DTD

XML Format Enforcement Prevent DOS using Entities in a DTD schema. MEMORY ENTITY XML Message expansion ENTITY Recursion XML Message

Protect XML Data Encrypt XML Data

Restrict SOAP implementation Provide specific WSDL Publish only necessary SOAP method for each specific usage Rely on well known XML parser Microsoft, Oracle, WebLogic, Disable DTD parsing

What customer s are mostly doing Supporting XML Document Submit XML document Security enforcement : Check Schema Check SOAP methods and signatures

What customer s are mostly doing Open few WebServices to partners HTML navigation Auction site E-commerce partner Security enforcement On service provider infrastructure SOAP method enforcement XML pattern checking Loan service

References Wikipedia http://en.wikipedia.org/wiki/service-oriented_architecture

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback