XML 2007: Web service vulnerabilities

XML 2007

As I mentioned in an earlier posting, for the XML 2007 conference this year (Boston, 3–5 December) the number of submissions on WS-* topics was way down, while topics like REST, microformats, and mashups are starting to sneak their way from the web into the enterprise world. However, the WS-* submissions we did get were very good, and one that especially grabbed our attention was Mark O’Neill’s Case Notes from a Vulnerability Assessment of a Bank’s Web Services.

Cracking the bank with a white hat

Mark had the enviable opportunity to be part of a team of white-hat crackers, trying to break the security of web services at an unnamed bank — fortunately, he’s been allowed to share his findings with us. After listing vulnerabilities ranging from data smuggling in CDATA sections to SQL injection, he mentions that “the bank’s attempt to apply preventative security measures, such as SSL and XML Schema validation, actually proved to provide a false sense of security, and in fact introduced a number of security vulnerabilities of their own.”

This means you too, REST!

And lest the Restafarians get too smug, he found lots of vulnerabilities in REST as well as WS-*. Beyond Mark’s talk, it’s also worth noting that apps using OpenSocial, which is REST-based, have already been cracked twice, so no one in charge of protecting a net-based API (REST or WS-*) should breathe too easy.

See you in Boston.

This entry was posted in Uncategorized and tagged . Bookmark the permalink.