Securing Web Services

Using web services gives you flexibility of using interoperability between different applications no matter which language they are developed into or what platforms they use. That's why today more and more applications are based on web services.If you are developing a travel portal which helps users plan their trip, your portal should have an enquiry facility so that users can search for accommodation in different hotels,airlines,trains of their choice on a given date and finally plans for the trip.Now with traditional web application you can provide link to each and every hotels,airlines vendors and railways booking system.Which is a cumbersome process and sometimes interoperability is an issue. Again from business point of view you are not benefited because customer will be directed to the respective vendor's portal to do the transaction.Here web services come into rescue. With development of Web2.0, web applications have become more powerful and web services is one of them.You can develop your travel portal in any way you want and use the web services developed by different vendor's to use their functionality from your travel portal only without redirecting customers to their websites. The customer will do transaction on your website and you pay for using the web services to respective vendors.The most important feature is centralization. The customer will not have to roam to every website for every specific enquiry like for hotel booking he need not go to particular hotel website or particular airline website; he simply do all the bookings using your portal just using particular web services of vendor.
Web services also suffers from the same problems as traditional enterprise web applications face. Authentication, Authorization, Confidentiality ,Integrity are few of the them.Assume there are different web services deployed on your local ESB which orchestrate between all the web services. Any body can connect to your ESB and use the web services. There's no restriction in the place.Following figure displays non secured web services.

To avoid the this situation you want that only specific clients can use your web services not every body. And also you want that all the communications between different web services must be encrypted with the keys of respective client,providing confidentiality and integrity.

Implementing Authentication, Authorization and Identity:
Every client request message header contains the following attributes:AuthType and AuthKey --which are not used in normal client request—are used here for creating authentication and authorization.

Create a WSDL which uses those above attributes to provide authentication.

In the WSDL file there are two attributes:
When a client request doesn’t have X509 certificate, the “NoX509CertificateFault” is returned by the service.When a client request presents any X509 certificate, which doesn’t match one already issued, then “InvalidX509CertifiacteFault” is returned by the service.
Create a corresponding web service to the WSDL document.

Implementing Confidentiality and Integrity:
Next step is to encrypt and sign the communication between different services inside the normal business process on ESB to meet Confidentiality and Integrity conditions.We need to endorse each and every web services which are participating in business flow to use the X509 certificate for encryption and signing.
A dialog box opens containing ‘Quality Of Service’ for the corresponding web service. Check ‘Secure Service’ check box. Select ‘Endorsing certificates’ from the list ‘Security Mechanism’. Check ‘Use Development Defaults’.In the ‘Input Message’, select ‘X509’ from the list of ‘Authentication Token’.Check the ‘Signed’ and ‘Endorsing’ options below.

In the same dialog box click on ‘Keystore’ button and provide path for the stored keys on the server to be used. Use the same process for ‘Truststore’ .

The above process just provides an outlook to how to secure web services. It involves more minor steps. That should also be followed.

Gmail provides Hijack detection tool

It's not 'Eureka'! I admit...

I know this is not any extraordinary feature and somebody might be familiar with it. But this post is for unfamiliar ones and I was amongst them until I searched this feature.

I don't say this one is going to provide full proof security, but yes, to some extent you can make yourself sure that your account is not opened at any other machine except you, what activities have been performed and at what time, form which IP etc--every bit of information can make yourself more confident.

The feature can be found below the user interaction area.

Format the drive of SQL Server ;)

I came across an interesting security issue . Not any thing special regarding the security issue but the way it was exploited was interesting. You can even fromat the hard disk of the server.
The steps were specific to that example and may not be the same in all instances. One will have to fuzz for every such attack.Steps in that example were:
1. Goto Forgot Password Feature.
2. Find a valid user id and enter a userid. A bit of guessing will work here.
3. The next screen should ask you for hint question to answer.
4. Enter SQL query to either get the password retrieved in this feature or enter incorrect SQL string to grab the server details.
5. In case the account used by application to connect to SQL server is admin account like 'sa', then MS SQL server has a feature to run kernel level commands via Extended Stored Proc.
6. Formulate a SQL query to run an extended stored procedure to run the command to format drive of SQL server.