<<Attacks on Web Services are often targeted at XML based content. Here are some of the more significant XML based attacks:
Recursive payload attack - the attacker takes advantage of the nesting supported within XML. One of the strengths of XML is its ability through nesting to efficiently address complex, hierarchical relationships between data elements. With the recursive payload attack, an XML document is created with very deep nesting of data elements, thousands of elements deep or where the nesting is recursive. Many of the older XML parsers would choke on this, essentially leading to a denial of service. Jumbo Payload attack - Essentially exploiting a poorly written parser that is unable to process an exceedingly large XML document leading to a denial-of-service. This has become less of an issue as parsers, are now better able to handle larger payloads and have the correct exception handling if the document is too big. XQuery Injection - An XML variant to the SQL injection technique. XQuery is a language designed to permit querying and format XML data. An attacker may inject XQuery as part of a SOAP message causing a SOAP destination service to manipulate an XML document incorrectly. XML Morphing - Involves changing/manipulating XML docs into a form that XML processor cannot handle. WSDL Enumeration - Web Services Description Language is used to describe the services and how to engage the methods for these services. By enumerating and parsing through WSDL , someone could get info about other methods that may have restricted access or a deduce how to compromise a service through a backdoor unpublished method. Schema Poisoning Modifying the schema referenced by an XML document in a manner that is inconsistent with the document - causing the processor to choke on the document. These are just a sampling of XML based attacks that can be perpetrated against your web service deployment. Here are a couple of steps to take to protect against such threats. First, validate and version control XML Schemas. Second, encrypt XML content. Third, inspect incoming and outgoing XML through use of XML based firewall or IPS equipped to handle such inspection. It's not foolproof but it's a start toward better security for web services.>> You can find this at: <http://www.ebizq.net/blogs/security_insider/2006/06/threat_protection _for_web_serv_2.php> Gervas ------------------------ Yahoo! Groups Sponsor --------------------~--> Yahoo! Groups gets a make over. See the new email design. http://us.click.yahoo.com/XISQkA/lOaOAA/yQLSAA/NhFolB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/service-orientated-architecture/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
