Skip to main content

Securing Web Services

Using web services gives you flexibility of using interoperability between different applications no matter which language they are developed into or what platforms they use. That's why today more and more applications are based on web services.If you are developing a travel portal which helps users plan their trip, your portal should have an enquiry facility so that users can search for accommodation in different hotels,airlines,trains of their choice on a given date and finally plans for the trip.Now with traditional web application you can provide link to each and every hotels,airlines vendors and railways booking system.Which is a cumbersome process and sometimes interoperability is an issue. Again from business point of view you are not benefited because customer will be directed to the respective vendor's portal to do the transaction.Here web services come into rescue. With development of Web2.0, web applications have become more powerful and web services is one of them.You can develop your travel portal in any way you want and use the web services developed by different vendor's to use their functionality from your travel portal only without redirecting customers to their websites. The customer will do transaction on your website and you pay for using the web services to respective vendors.The most important feature is centralization. The customer will not have to roam to every website for every specific enquiry like for hotel booking he need not go to particular hotel website or particular airline website; he simply do all the bookings using your portal just using particular web services of vendor.
Web services also suffers from the same problems as traditional enterprise web applications face. Authentication, Authorization, Confidentiality ,Integrity are few of the them.Assume there are different web services deployed on your local ESB which orchestrate between all the web services. Any body can connect to your ESB and use the web services. There's no restriction in the place.Following figure displays non secured web services.

To avoid the this situation you want that only specific clients can use your web services not every body. And also you want that all the communications between different web services must be encrypted with the keys of respective client,providing confidentiality and integrity.

Implementing Authentication, Authorization and Identity:
Every client request message header contains the following attributes:AuthType and AuthKey --which are not used in normal client request—are used here for creating authentication and authorization.

Create a WSDL which uses those above attributes to provide authentication.
In the WSDL file there are two attributes:
When a client request doesn’t have X509 certificate, the “NoX509CertificateFault” is returned by the service.When a client request presents any X509 certificate, which doesn’t match one already issued, then “InvalidX509CertifiacteFault” is returned by the service.
Create a corresponding web service to the WSDL document.

Implementing Confidentiality and Integrity:
Next step is to encrypt and sign the communication between different services inside the normal business process on ESB to meet Confidentiality and Integrity conditions.We need to endorse each and every web services which are participating in business flow to use the X509 certificate for encryption and signing.
A dialog box opens containing ‘Quality Of Service’ for the corresponding web service. Check ‘Secure Service’ check box. Select ‘Endorsing certificates’ from the list ‘Security Mechanism’. Check ‘Use Development Defaults’.In the ‘Input Message’, select ‘X509’ from the list of ‘Authentication Token’.Check the ‘Signed’ and ‘Endorsing’ options below.

In the same dialog box click on ‘Keystore’ button and provide path for the stored keys on the server to be used. Use the same process for ‘Truststore’ .

The above process just provides an outlook to how to secure web services. It involves more minor steps. That should also be followed.


Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated.
Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string.
This can be used for the bypass. It works for many servers, specially php servers. Th…

SQL Injection in search field

Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only. Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request. So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…

Insecure protocols

Some basic insecure protocols and risk associated with them: