AXDC – Rich Salz, Tightly Coupled Security for Loosely Coupled Web Services

1 minute read

Rich of Datapower will give them a Non-Microsoft perspective (as will I).

Protecting XML and web service servers at the network level by creating an XML-aware network. You can’t bolt-on security, you need to design it in.

XML/SOAP bypasses firewalls, by design.

Managing keys is a foreign concept for more people. Security resides in the key. These 56 or 124 bits are the most important part of the application.

Poor SSL performance without hardware acceleration.

Input validation errors — SQL injection buried inside of a SOAP call. “DROP FROM *”. Command execution, buffer overflows, directory traversals.

Asymetric denial of service. Use an HREF that points to itself.

SOAP traceroute with mustUnderstand set. Send these to a gateway and use it to map internals.

Interesting attack: Suppose that SoapAction is “foo.php”. Send “foo.php ls -l” as the action. Perl SOAP used to be susceptible to this.
Perl package loading hole: :HTTP::Daemon::ClientConn::send_file(“ /etc/passwd”) !

Apache nuSOAP holes.

OS written by “local company” that was not designed to be hooked up to the internet (the audience totally missed this reference).

All written by engineers who know better!

XML External Entity Attack. Turn off DTDs or can retrieve local file contents.

All of these things work really well when there are no bad people around.

WSDL gives out a lot of information; .Net auto discovery and ability to guess service names are issues.

Outlined a multi-level stack of infrastructure components to guard against all of these attacks and vulnerabilities. XML-Aware Security Gateway, XML-Aware Proxies, Stateful Firewall, Layer 4 / Circuit Firewalls, IP Firewalls.

XML firewall should be a box, sitting on top of IP firewall. Should enforce XML well-formedness constraints, SOAP messaging schemas, application schemas, security policy, content-based routing. He notes that all of this firewalling should be done at the network level before the application sees a single byte!

Interesting to note that crypto is very expensive, and that digital signatures turn all other attacks into denial-of-service since the processing load is 5-20 times higher than for an unsigned message.

Firewall should be carrier grade, purpose-built, no attackable OS resources on the device to exhaust, easy to integrate.

Watch out for single-sign-on solutions. Shims are a bad idea. Watch for one-vendor total end-to-end solutions.

Create an XML security ecosystem.