Docstoc

A Primer on XML Threats & Web Services Vulnerabilities

Document Sample
A Primer on XML Threats & Web Services Vulnerabilities Powered By Docstoc
					XML Threats & Web Services Vulnerabilities
Understanding Risk and Protection




                                Layer 7 Technologies

                   White Paper
XML Threats and Web Services Vulnerabilities


Contents

                                         ................................................................................................
Overview ................................................................                                ....................................................... 3
                     ................................................................................................................................ 3
A Complete Framework ................................                                                                ................................
                                             ................................................................................................
   Prevention................................................................                                ................................................. 3
                                              ................................................................................................
   Protection ................................................................                                ................................................. 3
                                            ................................................................................................
   Screening................................................................                                ................................................... 3
        Level                                                                       ................................................ 3
Message-Level Prevention, Protection, and Screening ................................................................
                       ............................................................................................................................... 4
   Parameter Tampering ................................                                                                ...............................
                     ................................................................................................................................ 4
   Recursive Payloads................................                                                                ....................................
                      ................................................................................................................................ 4
   Oversized Payloads ................................                                                                ...................................
                    ................................................................................................................................
   Coercive Parsing ................................                                                                ........................................ 4
                    ................................................................................................................................ 4
   Schema Poisoning ................................                                                                .....................................
                ................................................................................................................................
   WSDL Scanning................................                                                                .......................................... 5
                   ................................................................................................................................
   Routing Detours ................................                                                                ........................................ 5
                           .............................................................................................................................. 5
   External Entity Attacks ................................                                                                ..............................
                           ............................................................................................................................ 5
   SQL or XQuery Injection ................................                                                                ............................
                  ................................................................................................................................
   Replay Attacks ................................                                                                ........................................... 5
                ................................................................................................................................
   XML Morphing ................................                                                                .......................................... 6
                                        ................................................................................................
Summary ................................................................                                ....................................................... 6
                           ................................................................................................
About Layer 7 Technologies ................................                                .......................................................... 7
                             ................................................................................................
Contact Layer 7 Technologies ................................                                ....................................................... 7
                  ................................................................................................................................
Legal Information ................................                                                                .......................................... 7




                                            ogies
            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                                yrights                                                                              2
XML Threats and Web Services Vulnerabilities


Overview
     based                                                                           integrating
XML-based Web services are becoming a more pervasive foundation technology for integrating applications and
                                                    (SOAs).                                    XML
exchanging data in Service Oriented Architectures (SOA Like all new technologies, however, XML-based Web
services also present new security challenges in the form of XML data structures, granular application calls, input
                           ments,                                                           expose
data, or executable attachments, all of which can be maliciously constructed to damage or expo a receiving
                    based
application. XML-based Web services compound the number of vulnerabilities by providing access to application
                                               peer-to-peer
APIs and target applications. The distributed, peer peer nature of Web services also introduces bilateral threats
               lities                                    application hops.
and vulnerabilities that can be passed through multiple ap

This white paper reviews various XML- and/or Web services-specific threats that have been identified as potential
                                                            specific
exploits; examines how to address these threats, and discusses what a complete threat protection solution should
provide.


A Complete Framework
                  protection
A complete threat-protection framework needs to address three key functions: Prevention, Protection, and
Screening.

Prevention
                                                                  by
A protection framework must ensure the secure flow of messages b blocking potential message sage-level exploits like
the insertion of attacks into the message stream. Message signing, sequence numbers, and the use of Public Key
Infrastructure (PKI) between clients and services helps ensure message integrity, and provides specific protection
                     middle
against man-in-the-middle and replay attacks.

Protection
Software or infrastructure must be able to protect not only itself, but also downstream systems against attacks
                                           Well-known Web space attacks such as Denial of Service (DoS), payload
that are designed to render it inoperable. Well                        acks
                                                                                          well-designed
poisoning, and external commands are a threat in XML and Web services deployments. A well designed processing
architecture combined with specific safeguards can help protect against operability attacks.

Screening
          level
Message-level screening should encompass all traditional firewall functions, as well as permit the system
                                                                                include
administrator to allow or deny specific messages or actions. These functions include comprehensive schema
                                     encryption/decryption, message content queries, identity verification, and other
validation, integrity enforcement, encry                          sage
                                       delegate                                                 best
allow or deny criteria. The ability to delegate or offload specific payload processing to other best-in-class systems
                                                            tailor                           screening
(such as a virus scan engine) allows security managers to tailor the scope of the message screening, as required.


        Level
Message-Level Prevention, Protection, and Screening
                                                                                            messages
The first step in protecting critical Web services resources is to ensure that all incoming messages are screened for
                                 tream                               infrastructure
potential threats to the downstream service, or to the protection infrastructure itself. Some of these threats may
                                             implemented client-side code, while others may be malicious. In either
be the result of poorly designed or poorly imple                  side
                                                      and               conforming
case, administrators need the flexibility to identify a react to non-conforming messages and operations, while
                                                                       purpose-built
allowing secure access by trusted parties. This requires dedicated, purpose built technology designed to process
XML and Web services protocols as thoroughly and efficiently as possible.

Layer 7’s SecureSpan™ XML Data Screen is the first Service Oriented Architecture/Web    ented
                                                                    Architecture/Web-Oriented Architecture
(WOA) XML appliance specifically designed to cleanse XML data streams of threats, vulnerabilities and
unauthorized content for all common XML message formats, including Plain Old XML (POX), Simple Object Access
Protocol (SOAP), Representational State Transfer (REST) and Asynchronous JavaScript And XML (AJAX).




                                         ogies
         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                3
XML Threats and Web Services Vulnerabilities

Acting as a content filter, the XML Data Screen can be configured to scan, expurgate or transform all malicious or
                                                            AJAX-generated
malformed data, classified or unwanted “dirty” words, and AJAX generated scripts. Policies can be defined to
                                                                                end-points
remove, block or transform illegal data or entire messages. Traffic to specific end points can be restricted or
                        r               limits,                      based
throttled based on user defined traffic limits data formats or REST-based URLs. The following list reviews various
XML and Web services threats, and discusses how the SecureSpan XML Data Screen addresses these threats on a
message-by-message basis.

Parameter Tampering
                                   specific
Parameters are used to send client-specific information to a Web service so that a certain remote operation can be
executed. Instructions on how to use parameters are described in a Web Services Description Language (WSDL)
                                        manipulate the parameter options to retrieve unauthorized information.
document. An attacker could potentially m        late

The SecureSpan XML Data Screen uses strict schema validation and XPath queries to verify parameter content and
                                                               Additionally,
ensure that parameters are used for legitimate purposes only. Additionally, the SecureSpan Manager’s WSDL tool
can expose only a specific subset of the WSDL code, further restricting potential exploits.

Recursive Payloads
                                                                                       purchase
XML can nest elements within a document to address complex relationships, such as a purchase order that
   cludes                                                             attempt
includes shipping and billing addresses and quantities. Attackers can attempt to break an XML parser by creating a
file with thousands of nested elements.

The SecureSpan XML Data Screen can apply both schema validation and nesting depth limits that will deny these
types of attacks. If elements are unreasonably nested, the SecureSpan FastPath XML parser will stop parsing and
                                  defined
reject the message when the predefined nesting threshold is crossed

Oversized Payloads
                                    documents                                               grammers
Because XML is relatively verbose, document can potentially become very large. While programmers can limit a
document’s size, there are a number of reasons why a file may take up hundreds of megabytes or even gigabytes.
Large file sizes, however, could also mean that an attacker is attempting to manipulate the parser to execute an
XML Denial of Service (XDoS) attack.

                                     policy-driven
The SecureSpan XML Data Screen’s policy driven processing model ensures that all message parsing is executed by
           defined                                                     tent
explicitly-defined policy expectations rather than by the arbitrary content of message payloads. Therefore, an
                                 SecureSpan’s
XDoS attack will not impact the SecureSpan parser itself. If downstream applications are particularly sensitive to
message size, then size thresholds can also be enforced at the Data Screen.

Coercive Parsing
                                                  “bolt-on”
A coercive parsing attack attempts to exploit the “bolt on” interfaces used to link legacy systems with XML
components in an existing infrastructure. The attack tries to overwhelm a system’s processing capabilities or install
malicious mobile code.

        ureSpan                            back-end
The SecureSpan XML Data Screen protects back end systems and limits Web service access by enforcing strict
policy compliance. Attackers without appropriate credentials will be denied access to the protected Web service.
                                       checks
Schema validation and size restriction checks can also be used to ensure that messages comply with expected
                                        “bolt-on” components.
parameters and do not overwhelm any “bolt

Schema Poisoning
XML schemas model an XML document’s grammar and template structure. Parsers use schemas to properly
                 rvice                                            processing
interpret Web service messages. Since schemas describe necessary processing instructions, they are vulnerable to
tampering if not stored securely. An attacker may attempt to compromise the schema file itself and replace it with
                                          location.
a similar but modified one at a different l



                                         ogies
         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                4
XML Threats and Web Services Vulnerabilities

The SecureSpan XML Data Screen does not load schemas from unauthorized locations. All schema locations are
configured by the SecureSpan Manager administrator independent of the sender. Administrators can also choose
to load the schema files once and persist the schemas locally in the XML Data Screen, blunting the impact of any
changes to the source file.

WSDL Scanning
WSDL is a mechanism for Web services to dynamically describe the parameters used when connecting to
commands that accept input from external sources. WSDL files are often built automatically using tools designed
to expose and describe all information available in a command. An attacker might cycle through the various
command and string combinations to discover unintentionally related or unpublished application program
interfaces.

The SecureSpan XML Data Screen selectively proxies all internal WSDLs, shielding access to the original WSDLs on
                                                                                       attacker
application servers. The Data Screen will deny direct access to all WSDLs even when an attacker guesses a related
unpublished WSDL. The SecureSpan Manager’s WSDL tool can also expose only a specific subset of an exposed
WSDL, further restricting potential exploits.

Routing Detours
                                                                 through
The Web Services routing specification helps direct XML traffic through an environment by allowing a way station
in an XML path to assign routing instructions to a document. However, the way stations can be compromised,
                                                   re-route
allowing attackers to insert bogus instructions to re route a confidential file. The attackers can then strip out the
malicious instructions before forwarding the document to its destination.

                                                                              stations,      fore
The SecureSpan XML Data Screen is typically deployed in front of any way stations and therefore protects against
                                    message-level security through XML signing and encryption ensures the integrity
direct access. The enforcement of message               urity
           specific
of routing-specific fields and the payload itself, identifying and preventing any tampering.

External Entity Attacks
                                                                           Identifier
XML can build documents dynamically by pointing to a Uniform Resource Identifier (URI) where the actual data
exists. These external entities may not be trustworthy, as an attacker could replace the data being retrieved with
malicious data.

                                                                                         Screen
By default, the SecureSpan XML Data Screen does not resolve external entities. The Data Screen can be configured
                                                messages
through the XPath policy assertion to block all messages containing references to external entities.

SQL or XQuery Injection
                                                                                                         execute
By executing multiple commands in an input file, SQL or XQuery injection could be used by an attacker to exe
                                                                                    un-validated
multiple commands in an input field, allowing access to native stored procedures or un validated commands.

The SecureSpan XML Data Screen’s schema validation process verifies that the basic structure of the message
                                    uilt-in                 specific
conforms to defined expectations. Built filters for vendor-specific SQL attacks can be applied to all messages,
                                                                            such        Selects
and an XPath scan can also be used to detect and reject specific commands (such as SQL Selects) on a service-by-
service basis.

Replay Attacks
                                  rcept     re-issue
In a replay attack, attackers intercept and re issue messages that have already been validated and processed in an
attempt to force the operation to be performed multiple times. This can result in data inconsistency (such as when
                                                          reduced
money is transferred or deposited many times), or even reduced availability of the Web service with rapid replays.

The SecureSpan XML Data Screen creates and caches a unique identifier for each message. Every time a message is
processed, it is checked against the cache to ensure it is not a replay of a former message. In a cluster, each node



                                         ogies
         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                5
XML Threats and Web Services Vulnerabilities

                           nsuring            cannot
checks the central cache, ensuring messages cannot simply be routed around the caching node. The cache can be
set by the administrator to expire after an acceptable time delay.

XML Morphing
                                                                                            tr
XML can be legitimately transformed for any number of reasons, but malicious morphing can transform an XML
document and its contents into something completely different than its source intended. This can be exploited by
an attacker to cause unexpected or inappropriate behavior of previously legitimate messages.

                                    s
The SecureSpan XML Data Screen does not apply embedded transformations from external entities without
                                                                ensure
administrator permission. Schema validation can also be used to ensure the rejection of any message whose
format does not match expectations.


Summary
                                      -specific
In many ways, XML- and Web services- ecific threats are no different from existing forms of threats and attacks.
The unique challenge is ensuring that an XML protection strategy is in place before Web services become widely
deployed.

                                                                                          real
The SecureSpan XML Data Screen processing model is designed to screen out XML threats in real-time before they
                                                                                               high-availability
consume valuable internal resources, helping to reduce the impact of many attacks and ensure a high
Web services deployment.

                                                        security measures are still very important, the SecureSpan
While intelligent application design and basic network se                                     tant,
                                                              XML-                     based
XML Data Screen is a highly effective solution for protecting XML and Web services-based applications.




                                         ogies
         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                6
XML Threats and Web Services Vulnerabilities


About Layer 7 Technologies
                                                                 Vancouver,
With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
                                                      cost-effective
Technologies helps enterprises accomplish secure and cost effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
                                       ments.
future-proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.


Contact Layer 7 Technologies
Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
604-681-9377
1-800-681-9377 (toll free)

Fax:
604-681-9387

Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005

Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada


Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
                                                                              mentioned
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.




                                         ogies
         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                7