Webservices
Security
Web Services
use known protocols, ports, descriptors and methods to access and “expose”
back-end components to the client side. This means that any Web service
vulnerable to following and more:
- SQL injections
- Scripting exploits
- Denial of Service attacks: an
attacker does a small amount of work on a message that causes the target
system to devote all its resources to a specific task so that it cannot
provide any services to valid requests.
- Message monitoring and copying
- Message source spoofing: An
attacker alters an original message by inserting, removing or modifying
content created by the originator, and the faked message is then mistaken
by the receiver as being the originator’s real intention. In addition, an
attacker may also construct a new fake message to fool the receiver into
believing it to have come from a valid sender.
- Message (payload) manipulation (
changing send data – in transit)
- Transmission of viruses (in
message or as an attachment)
- Transactional Attacks
- Replay of message parts: an
attacker replays parts of the captured message to the receiver with the
aim of gaining access to an unauthorised system, or causing the receiver
to take unnecessary action.
Web services
security aspects includes Authentication,
Authorization, Confidentiality/privacy, Integrity/non repudiation
·
Authentication
– It’s verification of user identity which is verified based on the
credentials provided by user
·
Authorization
or Access Control - it is granting access to specific resources after
authentication of user
·
Confidentiality/privacy
- Keeping information secret. For example encrypting the content of send
messages.
·
Integrity/non
repudiation – it’s surety that a message remains unaltered during
transit. Digital signature is used to validate the signature and provides
non-repudiation.
There are two
types of security requirements for web services, transport level (Secure Socket
Layer) and application/message level.
Transport-level
Security
SSL (Secure
Socket Layer) or TLS (Transport Layer Security) is the most widely used
transport-level data-communication protocol. It provide Authentication, Confidentiality
(encrypted data exchanged), Message integrity (uncorrupted data) and Secure key
exchange between client and server.
SSL provides
a secure communication channel when data is on transit, however, when the data
is not "in transit," the data is not protected. This means in
multi-step transactions the environment vulnerable to attacks. (SSL provides
point-to-point security, as opposed to end-to-end security.)
Message-level Security
Message level
security is an application layer service and facilitates the protection of
message data between applications. Message-level
security is based on XML frameworks defining confidentiality, integrity,
authenticity; message structure; trust management and federation. Message
structure and message security are implemented by SOAP and its security
extension, WS-Security. WS-Security defines how to attach XML Signature and XML
Encryption headers to SOAP messages. In addition, WS-Security provides profiles
for 5 security tokens: Username (with password digest), X.509 certificate,
Kerberos ticket, Security Assertion Markup Language (SAML) assertion, and REL
(rights markup) document.
Message level
security is used in scenarios where application is designed to use mostly asynchronous
queues. SOAP based services use Message Level Security. In message level
security, security information is contained within the SOAP message, which
allows security information to travel along with the message. For example,
a portion of the message may be signed by a sender and encrypted for a
particular receiver. In this case message can pass through multiple nodes
before delivered to destination and encrypted part of message is opaque to
these intermediate nodes. For this reason, message-level
security is also referred as end-to-end security.