Web Services Security and Standards W3C OASIS WS-I

If you or your organization is involved in development of web services, it is very important to understand various threats to web services security and how to mitigate them. Analysis of Web Services Security should be integral part of any web development process.

Web Services Security Attacks

The attacks penetrating the Web Services Security can be categorized, with respect to the objectives an attack may intend to achieve. For example, Microsoft describes these objectives by using the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privilege) categories.

Spoofing identity. The illegal access and use of a user’s identification or authentication information,
such as the user name and password to pierce through the Web Services Security.
Tampering with data. An unauthorized modification of data via penetration of web services security. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.
Repudiation. The ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions rendering web services security redundant. For example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Non repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package.
Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it affecting web services security—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.
Denial of service. Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. This is one of the most common attack on Web Services Security.
Elevation of privilege. It occurs when a user with limited privileges assumes the identity of a privileged
user to gain privileged access to an application and thereby he/she has the ability to compromise or destroy an entire system. This kind of web services security lapse can be disastrous.

Web Services Security Threats

Web Services security threats can be grouped based on the component which may be subject to the threat, that is, the network, the host, and the application. Here is a threat list to be initially considered for the application:

Input validation: This web services security threat includes Buffer overflow; cross-site scripting; SQL injection; canonicalization
Authentication: This web services security threat comes from network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft.
Authorization: This web services security threat involves elevation of privilege; disclosure of confidential data; data tampering; luring attacks.
Configuration management: Includes unauthorized access to administration interfaces, configuration stores; retrieval of clear text configuration data; lack of individual accountability; over privileged process and service accounts
Sensitive data: Includes access sensitive data in storage; network eavesdropping;data tampering.
Session management: Includes session hijacking; session replay; man in the middle attack.
Cryptography: Threats due to poor key generation or key management; weak or custom encryption.
Parameter manipulation: Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation.
Exception management: Due to information disclosure; denial of service.
Auditing and logging: Here user denies performing an operation; attacker exploits an application without trace; attacker covers his tracks.

Identifying Other Web Services Security Threats

To identify other possible Web Services Security threats, techniques based on attack trees and attack patterns can be used.

Attack trees

These represent the possible paths followed by an attack as trees. The root node of such a tree is the global goal of an attacker. Children of a node are refinements of this goal, and leafs represent goals that can no longer be refined. Attack trees provide a formal methodology for analyzing the security of systems and subsystems, to capture and reuse expertise about security, and to respond to changes in security requirements.

Attack Patterns

These are structured like structure of Design patterns. They are based on the analysis of observed attack exploitations, and usually contains the following information:

• Pattern name and classification
• Attack prerequisites
• Attack Description
• Targeted vulnerabilities or weaknesses
• Method of attack
• Attacker goal
• Attacker skill level required
• Resources required
• Blocking solutions
• Context description

Web Services Security Standards

The Web services security standards discussed below start with ones closer to the communication layer of the Internet stack and then move up to the application layer:

‘Near the wire’ standards

These web services security standards include Secure Socket Layer (SSL) and Transport Layer Security (TLS), which provide a basic level of security at the communication level.

XML Encryption and XML Signature

These web services security standards specify how to represent encrypted and signed XML data.

WS-Security

This web services security standard specifies how to represent encrypted and signed parts of a single SOAP message.

WS-SecureConversation and WS-Reliability

The former web services security standard specifies how to represent information related to the exchange of multiple secured SOAP messages, while the latter is focused on message delivery guarantee.

Security Assertion Markup Language (SAML)

This is an XML-based open web services security standard for exchange of authentication and authorization data between domains.

WS-Policy

This web services security standard specifies how web services advertise their policies and how web service consumers specify their policy requirements using XML. The Policy Framework is supplemented by three other standards:

WS-PolicyAssertion: specifies the structure of a few generic policy assertions.

WS-Policy Attachment: defines how to associate a policy with a Web service, either by directly embedding it in the WSDL definition or by indirectly associating it through UDDI.

WS-Security Policy: specifies a set of standard security policy assertions corresponding to SOAP message protection requirements.

eXtensible Access Control Markup Language (XACML) and XACML Profile for Web services

These web services securitystandards provide a model and a language to express access control policies that can be applied to Web services as well as to other resources.

Extensible rights Markup Language (XrML)

This web services security standard addresses how to express and enforce access control and information dissemination policies.

XML Key Management Standard (XKMS) and WS-Trust

The former specifies standard services interfaces and protocols for the management of cryptographic keys. The latter specifies services interfaces and protocols for the management of so-called security tokens.