Terms | Definitions |
|---|---|
 Why is security such an issue in web services? | By the nature of web services, they are standardised and open: Interfaces to services are of a standard format, meaning that attacks can also be standardised. |
| What information about any given web service is publicly available and where would it be found? | SOAP messages provide structural information, including the port to use, and WSDL gives precise information on location and how it can be accessed. |
| What are the six components of the WS-Security model | 1. policy (encryption, etc), 2. trust (secure tokens), 3. privacy 4. secure conversation (communication) 5. federation (identity authorisation) 6. authorisation (specification and management of web services) |
| What are the most common security threats for web services? | 1. Unauthorised access 2. Unauthorised alteration of messages 3. Man in the middle 4. Denial of service attacks |
| What is meant by 'unauthorised access' ? | Information within the message is viewable by unintended and unauthorized participants. |
| What is meant by 'Unauthorised alteration of messages'? | An attacker may delete or modify or insert extra information into a message created by the originator and is mistaken by the receiver as being the originators intention. This category may include: attachment alteration. replay attacks (signed messages are intercepted and sent back to a targeted site). session hijacking. forged claims. and falsified messages |
| What is meant by 'man in the middle'? | a SOAP intermediary is compromised and messages between the Web service requester and the receiver are intercepted. The attacker may just have access to the messages or may modify them leaving the original parties thinking that they are communicating with each other. |
| What is meant by 'denial of service attacks'? | Denial of service attacks (DoS - usually initiated from one machine) or distributed denial of service attacks (DDoS - usually from a network of machines) : The objective is to render target systems inaccessible by legitimate users. A flood of plain messages or messages with large numbers of encrypted elements or signed elements may cause system resources to be tied up and service levels to be affected. This can cause severe disruption to a system. |
| What are 'routing detours'? | Routing detours are also a form of a "man-in-the-middle" attack which compromises routing information: Routing information (whether in the HTTP headers or in WS-Routing headers) can be modified en route to direct sensitive messages to an outside location. Traces of the routing can be removed from the message so that the receiving application does not realise that a routing detour has occurred. |
| What is coersive parsing? | an xml based attack whose main objective is either to overwhelm the processing capabilities of the system or install malicious mobile code. |
| What is 'SQL injection'? | SQL injection - compromises the database: could allow an attacker to execute multiple commands in an input field by using native command separators like ';' or pipes. |
| What's the difference between network level security and application security? | firewalls tend to be network level security, they either block or allow data - they are brute force security that allows ANY information through if the allow is given. In web service applications it isn't data itself that's the issue it's the 'type' of data (ie sql injection using drop_d for comments) so a network firewall is of limited use. |