Skip to main content

Securing Web Services

Using web services gives you flexibility of using interoperability between different applications no matter which language they are developed into or what platforms they use. That's why today more and more applications are based on web services.If you are developing a travel portal which helps users plan their trip, your portal should have an enquiry facility so that users can search for accommodation in different hotels,airlines,trains of their choice on a given date and finally plans for the trip.Now with traditional web application you can provide link to each and every hotels,airlines vendors and railways booking system.Which is a cumbersome process and sometimes interoperability is an issue. Again from business point of view you are not benefited because customer will be directed to the respective vendor's portal to do the transaction.Here web services come into rescue. With development of Web2.0, web applications have become more powerful and web services is one of them.You can develop your travel portal in any way you want and use the web services developed by different vendor's to use their functionality from your travel portal only without redirecting customers to their websites. The customer will do transaction on your website and you pay for using the web services to respective vendors.The most important feature is centralization. The customer will not have to roam to every website for every specific enquiry like for hotel booking he need not go to particular hotel website or particular airline website; he simply do all the bookings using your portal just using particular web services of vendor.
Web services also suffers from the same problems as traditional enterprise web applications face. Authentication, Authorization, Confidentiality ,Integrity are few of the them.Assume there are different web services deployed on your local ESB which orchestrate between all the web services. Any body can connect to your ESB and use the web services. There's no restriction in the place.Following figure displays non secured web services.


To avoid the this situation you want that only specific clients can use your web services not every body. And also you want that all the communications between different web services must be encrypted with the keys of respective client,providing confidentiality and integrity.


Implementing Authentication, Authorization and Identity:
Every client request message header contains the following attributes:AuthType and AuthKey --which are not used in normal client request—are used here for creating authentication and authorization.


Create a WSDL which uses those above attributes to provide authentication.
In the WSDL file there are two attributes:
When a client request doesn’t have X509 certificate, the “NoX509CertificateFault” is returned by the service.When a client request presents any X509 certificate, which doesn’t match one already issued, then “InvalidX509CertifiacteFault” is returned by the service.
Create a corresponding web service to the WSDL document.

Implementing Confidentiality and Integrity:
Next step is to encrypt and sign the communication between different services inside the normal business process on ESB to meet Confidentiality and Integrity conditions.We need to endorse each and every web services which are participating in business flow to use the X509 certificate for encryption and signing.
A dialog box opens containing ‘Quality Of Service’ for the corresponding web service. Check ‘Secure Service’ check box. Select ‘Endorsing certificates’ from the list ‘Security Mechanism’. Check ‘Use Development Defaults’.In the ‘Input Message’, select ‘X509’ from the list of ‘Authentication Token’.Check the ‘Signed’ and ‘Endorsing’ options below.

In the same dialog box click on ‘Keystore’ button and provide path for the stored keys on the server to be used. Use the same process for ‘Truststore’ .


The above process just provides an outlook to how to secure web services. It involves more minor steps. That should also be followed.

Comments

Popular posts from this blog

Ardilla- New tool for finding SQL Injection and XSS

Three Researchers -- MIT's Adam Kiezun , Stanford's Philip Guo , and Syracuse University's Karthick Jayaraman -- has developed a new tool ' Ardilla ' that automatically finds and exploits SQL injection and cross-site scripting vulnerabilities in Web applications. It creates inputs that pinpoint bugs in Web applications and then generates SQL injection and XSS attacks. But for now Ardilla is for PHP -based Web app only. The researchers say Ardilla found 68 never-before found vulnerabilities in five different PHP applications using the tool -- 23 SQL injection and 45 XSS flaws. More information is awaited. For their attack generation techniques refer to their document at: http://www.cs.washington.edu/homes/mernst/pubs/create-attacks-tr054.pdf

Combining power of Fiddler with Burp

Both are pretty powerful tools when it comes to intercept and modify http communications. But at some point of time, they become even more powerful combo if tied with each other. They complement each other. In a recent pentest I came across a similar situation where in Burp was not able to intercept a specific kind of traffic and Fiddler came to rescue. The application was designed to upload video. The initial communication was straight forward, I mean logging into application, filling up the video details etc. And all these were easily captured by Burp except the point where you hit the Upload Video and it connects to a different server and surprisingly it was not captured by Burp, not sure why, even after repeated attempts. So, I fired Fiddler to see if the it sees this request. But it's a;ways to play with requests using Burp due to it's various functionalities like, Intruder, Repeaters etc. But it was necessary to capture this request in Burp. So the below steps can be

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated. Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string. This can be used for the bypass. It works for many servers, specially php servers. T