Friday, March 27, 2015

Web services - Part6


Webservices Security

Web Services use known protocols, ports, descriptors and methods to access and “expose” back-end components to the client side. This means that any Web service vulnerable to following and more:
  • SQL injections
  • Scripting exploits
  • Denial of Service attacks: an attacker does a small amount of work on a message that causes the target system to devote all its resources to a specific task so that it cannot provide any services to valid requests.
  • Message monitoring and copying
  • Message source spoofing: An attacker alters an original message by inserting, removing or modifying content created by the originator, and the faked message is then mistaken by the receiver as being the originator’s real intention. In addition, an attacker may also construct a new fake message to fool the receiver into believing it to have come from a valid sender.
  • Message (payload) manipulation ( changing send data – in transit)
  • Transmission of viruses (in message or as an attachment)
  • Transactional Attacks
  • Replay of message parts: an attacker replays parts of the captured message to the receiver with the aim of gaining access to an unauthorised system, or causing the receiver to take unnecessary action.

Web services security aspects includes Authentication, Authorization, Confidentiality/privacy, Integrity/non repudiation
·         Authentication – It’s verification of user identity which is verified based on the credentials provided by user
·         Authorization or Access Control - it is granting access to specific resources after authentication of user
·         Confidentiality/privacy - Keeping information secret. For example encrypting the content of send messages.
·         Integrity/non repudiation – it’s surety that a message remains unaltered during transit. Digital signature is used to validate the signature and provides non-repudiation.

There are two types of security requirements for web services, transport level (Secure Socket Layer) and application/message level.

Transport-level Security
SSL (Secure Socket Layer) or TLS (Transport Layer Security) is the most widely used transport-level data-communication protocol. It provide Authentication, Confidentiality (encrypted data exchanged), Message integrity (uncorrupted data) and Secure key exchange between client and server.

SSL provides a secure communication channel when data is on transit, however, when the data is not "in transit," the data is not protected. This means in multi-step transactions the environment vulnerable to attacks. (SSL provides point-to-point security, as opposed to end-to-end security.)

Message-level Security

Message level security is an application layer service and facilitates the protection of message data between applications. Message-level security is based on XML frameworks defining confidentiality, integrity, authenticity; message structure; trust management and federation. Message structure and message security are implemented by SOAP and its security extension, WS-Security. WS-Security defines how to attach XML Signature and XML Encryption headers to SOAP messages. In addition, WS-Security provides profiles for 5 security tokens: Username (with password digest), X.509 certificate, Kerberos ticket, Security Assertion Markup Language (SAML) assertion, and REL (rights markup) document.

Message level security is used in scenarios where application is designed to use mostly asynchronous queues. SOAP based services use Message Level Security. In message level security, security information is contained within the SOAP message, which allows security information to travel along with the message. For example, a portion of the message may be signed by a sender and encrypted for a particular receiver. In this case message can pass through multiple nodes before delivered to destination and encrypted part of message is opaque to these intermediate nodes. For this reason, message-level security is also referred as end-to-end security.



Total Pageviews