Smart Security Shop

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 15 November 2006

Web Services Design Security Considerations

Posted on 01:43 by Unknown

Web Services Design Security Considerations

I. Information Gathering

  1. WSDL Retrieval: Identify web method call mechanics
  2. SOAP Error Messages
  3. Web Method Enumeration: Identify methods not published in the WSDL.
II. Parameter Manipulation
  1. Identify mishandling of numerical fields, character strings, Base64 data handling, etc.
  2. Identify SQL Injection/XPATH Injection Vulnerabilities
  3. XML input data is validated based on an agreed schema.
  4. If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.
  5. Determine whether the logging mechanism is vulnerable to arbitrary entry creation via carriage return and line feed injection.
  6. Assess the possibility of inserting HTML tags into a HTML based log.
  7. Assess the possibility of inserting XML elements and/or attributes into an XML based log.
  8. Determine the logging mechanism’s susceptibility to white space injection.
  9. Assess the ability of the web service to log messages that contain special separator characters.
  10. Assess the handling of log data after reaching the upper log size limit.
  11. Assess the web service’s susceptibility to LDAP injection.

III. Authentication and Authorization

  1. Web services that support restricted operations or provide sensitive data require and support authentication.
  2. Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.

IV. Sensitive Data

  1. Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)
  2. Identify the encryption cipher used in the application.
  3. Determine the items within web service communications that are encrypted.
  4. Determine the items within web service communications that are protected by message integrity checks.

V. Exception Handling

  1. SOAP Exceptions are thrown and returned to the client using the standard SOAP element.
  2. If application-level exception handling is required a custom SOAP extension is used.

VI. Auditing & Logging

  1. The Web service logs transactions and key operations.

VII. Proxy Considerations

  1. The URL Behavior property of the Web reference is set to dynamic for added flexibility.
  2. The endpoint address in Web Services Description Language (WSDL) is checked for validity.

VIII. Configuration

  1. Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
  2. The Web service runs using a least-privileged process account.
  3. Debugging and Tracing are disabled.
  4. Identify directory traversal vulnerabilities.
  5. Assess the level of information disclosure from temporary files.
Email ThisBlogThis!Share to XShare to Facebook
Posted in Security, Web Services | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Registrations for OWASP Mumbai Meet [31st July 15:00hrs]
    Hi All, Everyone is welcome to join us at our next chapter meet to be held on Monday , 31 st of July. Registrations for the eve...
  • Free Web Proxy List
    A web proxy is becoming more and more important in todays internet. Schools and Companys tend to block sites pretty quickly nowadays, especi...
  • How do you use RSA for both authentication and secrecy?
    RSA is based upon public key/private key concept. For authentication one can encrypt the hash (MD5/SHA) of the data with a private key. This...
  • Does the code use MapPath?
    Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ...
  • New Rogue Security Product: Smart Antivirus 2009
    Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008 Smart Antivirus 2009 Home page Typical fake/Scare ...
  • Impersonation without Windows Authentication
    How to Impersonate the Original Caller without Windows Authentication When using non-windows authentication like Certificate Authentication ...
  • Firefox popups
    Firefox popups Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see oc...
  • Spam - It also impacts the environment
    McAfee has released The Carbon Footprint of Email Spam Report . The study looks at the global energy expended to create, store, view, and fi...
  • Botnet Attack Details from Kaspersky
    One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The st...
  • Can Security be incorporated in the Computer Science & IT courses?
    Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT softwa...

Categories

  • Account Lockout
  • Anti-XSS
  • Antivirus
  • Application Security
  • AppSec Conference
  • ASP.NET
  • Attacks
  • Authentication
  • Banks
  • Botnets
  • Break
  • Broadband
  • Browsers
  • Change Management
  • Citibank
  • Clear Text Secrets
  • Computer Performance
  • Computer Security
  • Credit Card
  • Cyber Security
  • Cyber Terrorism and Economy
  • Data Validation
  • Database Security
  • Defragmentation
  • Design
  • Developer Training
  • Development Tools
  • DSS
  • eCrime
  • Education
  • Encryption
  • Ettercap
  • Exchange 2007
  • facebook
  • Frauds
  • Google Hacking
  • Hacking
  • ICICI Bank
  • India Leaders
  • Internet
  • IRCTC
  • Java
  • Legal
  • Live Demo
  • Load Testing
  • Mail Security
  • Malware
  • Mastek
  • Message Security
  • Mobile Security
  • Money Laundering
  • News
  • one time password
  • Online
  • Oracle
  • OWASP
  • PC Errors
  • PCI
  • Performance Testing
  • Phishing
  • Popular Posts
  • Punishment
  • Requirement Engineering
  • Retail
  • Rouge
  • Routers
  • Rugged
  • Security
  • Security Industry
  • Security Management
  • Security Requirements
  • Security Tools
  • Sensitive Data
  • Sniffing
  • Social Networking
  • Software Industry
  • Solutions Community
  • Spams
  • SQL Injection
  • SSL
  • Sudhakar Ram
  • Summer of Code
  • SUN
  • Technology
  • Testing
  • Thick Client Security
  • Third Wave
  • Times of India
  • Typo Squatting
  • UI Security
  • University Programs
  • Virtual Keyboard
  • Virtualization
  • WCF 3.5
  • Web 2.0
  • Web Applications
  • Web Security
  • Web Services
  • WiFi
  • Windows
  • Workshops
  • X.509 Certificates
  • XSS

Blog Archive

  • ►  2011 (5)
    • ►  September (1)
    • ►  July (2)
    • ►  March (2)
  • ►  2010 (5)
    • ►  November (1)
    • ►  June (1)
    • ►  March (1)
    • ►  January (2)
  • ►  2009 (19)
    • ►  December (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  July (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (4)
    • ►  March (2)
    • ►  February (2)
    • ►  January (2)
  • ►  2008 (29)
    • ►  December (7)
    • ►  November (2)
    • ►  September (3)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  April (3)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (29)
    • ►  December (2)
    • ►  November (3)
    • ►  October (11)
    • ►  September (5)
    • ►  August (2)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ▼  2006 (36)
    • ►  December (1)
    • ▼  November (3)
      • UI Security Check #1
      • Web Services Design Security Considerations
      • Alternative to IE and Firefox
    • ►  October (6)
    • ►  September (3)
    • ►  August (4)
    • ►  July (3)
    • ►  June (1)
    • ►  May (5)
    • ►  April (2)
    • ►  March (4)
    • ►  February (1)
    • ►  January (3)
  • ►  2005 (20)
    • ►  December (6)
    • ►  November (14)
Powered by Blogger.

About Me

Unknown
View my complete profile