SlideShare a Scribd company logo

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures

Download as PPT, PDF
Praetorian
Praetorian

The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward. Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.

1 of 30
Downloaded 157 times
Web Services Security Nathan Sportsman Founder and Chief Executive Officer 1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Agenda  Web Service Introduction  Web Service Vulnerabilities  Web Service Countermeasures 2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Introduction 3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
How Did We Get Here? SOAP / XML HTML HTML SOAP / XML 1st Generation 2nd Generation 3rd Generation Static HTML Web Applications Web Services 4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Services Are  “…a software system designed to support interoperable machine-to-machine interaction over a network.”, W3C  Capable of connecting to external computing resources – Supply chain infrastructure – Outsourced computing infrastructure 5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Services Primer Service Broker  Built on existing and emerging standards – HTTP, XML, SOAP, UDDI, WSDL, WS-*… UDDI  Capabilities – Loosely coupled – Language neutral WSDL WSDL – Platform and transport independent – Interoperability SOAP Client Service Provider 6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Service Interoperability Example Embedded device Financial Transaction Gateway Billing Services C++ on Linux/ARM C on AIX/PowerPC Java on NT/X86 Web Service Web Service Web Service 7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Service Vulnerabilities 8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Attack Taxonomies  Spoofing  Tampering  Repudiation  Information Disclosure  Denial of Service  Escalation of Privileges 9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Services Vulnerabilities  Existing and emerging vulnerabilities apply – Brute Force – Information Disclosure – SQL Injection – LDAP Injection – Session Hijacking – Denial of Service (DoS) – Buffer Overflows – Cross Site Scripting – XML Injection – XPATH Injection – WSDL Manipulation – DOS (Intensive XML load) – … 10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
SQL Injection  Possible when user input provided through web service used in queries to backend database <?xml version=“1.0” encoding=“utf-8” standalone=“no” ?> <SOAP-ENV:Envelope xmlns:SOAPSDK1=“http://www.w3.org/2001/XMLSchema”xmlns:SOAP SDK2=“http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAPSDK3=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/> <SOAP-ENV:Body> <SOAPSDK4:MethodName xmlns:SOAPSDK4=“http://urltoapp/…”> <SOAPSDK4:username>administrator</SOAPSDK4:username> <SOAPSDK4:password>’ OR ‘1’=‘1</SOAPSDK4:password> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Buffer Overflow  Buffer Overflows – Not as prevalent except on older legacy systems and embedded devices written in unmanaged code – Large string parameters extending beyond allocated memory – No bounds checking <SOAP-ENV:Envelope> <SOAP-ENV:Body> <parameter1> lkasdllkdlfa;jkia;refjeoinveroinanlekrngaerinrlgerinreglnag linealinrglanirnaocnilrncoraeincelrgfnerginegnoeingerongoer ingeg… </SOAP-ENV:Body> </SOAP-ENV:Envelope> 12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
XML Injection  External input is not validated and passed in XML stream parsed by second-tier software  Alters XML structure by injecting malicious data  John Smith escalates privileges by changing his User ID from 100 to 0 <MyRec> <UserId>100</UserId> <Username>jsmith</Username><Uid>0</Uid><Username>jsmith</Username> </MyRec> 13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
XPATH Injection  Similar to SQL injection attack  Information stored and retrieved from XML document instead of relational database //users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1] 14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Denial of Service  XML parsing can be expensive • Extremely large / complex XML documents • Deeply nested tags • These can create extremely large memory footprints or utilize many CPU cycles … <SOAP-ENV:Body> <BuildNestedXMLResponse xmlns=http://someap”> <BuildNestedXMLResult> <XML 1> <XML 2> <XML 3> <XML 4/> </XML 3> </XML 2> </XML 1> </BuildNestedXMLResult> </BuildNestedXMLResponse> … 15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Services Countermeasures 16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Defense Taxonomies  Configuration Management  Authentication  Authorization  User & Session Management  Data Validation  Error & Exception Handling  Logging & Auditing  Data Protection (Storage & Transit) 17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Configuration Management  Internet facing WSDLs can be found with Google hacking (filetype:wsdl inurl:wsdl)  Review WSDLs for dangerous or antiquated functions  Ensure hidden, debugging, or any non-production functions are removed before deployment  Make sure they are not recreated automatically 18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Authentication & Authorization  Can be accomplished in various ways with various protocols  Username/password, Certificates, etc  Educate yourself on the characteristics of protocols available before deciding 19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Session Management  Use proven methods to generate session IDs  Do not reinvent the wheel and attempt to create your own  Utilize transport encryption to prevent eavesdropping / modification of session data  Use transport and element encryption to prevent replay / injection attacks 20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Data Validation  Validate and sanitize all input from external sources  Sanitize all output of potentially malicious characters in respect to the next tier (i.e. Database, XML stream, LDAP directory, etc.)  If possible, consider a default deny policy with a white list of allowed input 21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Logging & Auditing  Consider using an existing logging framework  Centralize location of log files  Ensure logs provide enough information for non-repudiation of action  Do not log password, credit cards or other sensitive information 22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Error & Exception Handling  Test for DoS conditions in QA/QC procedures  Define and enforce data file types and sizes  Check document complexity before handing to parser – XML “Firewall”, etc.  Use strict XML schema verification  Create custom error messages with minimal information to be returned by web services 23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Data Protection (In Storage & Transit)  Two mechanisms for encryption, SSL and WS-Security  Disadvantages of WS-Security – Harder, more complex to implement (Easier to do wrong) – Larger attack surface (Attacker has a lot more to play with) vs. SSL with client certificates – Only explicitly encrypted / signed data are protected  Advantages of WS-Security – WS-Security offers end-to-end Security (Instead of point-to-point) – Transport agnostic – No longer an all or nothing approach – Less over head, especially in stateless web services (debatable) 24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
SSL  Well understood and vetted technology  Provides the functionality needed for most web service deployments  Who is implementing SSL? – ISVs adding web service interface to their product (SSL) – Internet Companies exposing part of their service through web interface for consumption (SSL) – Internally distributed application previously using older technologies for inter-application communication (SSL) * By far majority of engagements, products, and web services we’ve seen implement SSL solution 25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
WS-Security  Enhances SOAP – Provides a framework for message integrity and confidentiality – Token type-, Encryption scheme-, and Signature scheme-agnostic  Associates security tokens with messages  Message integrity provided by XML Digital Signatures in conjunction with security tokens  Message confidentiality provided by XML Encryption in conjunction with security tokens  Describes mechanism to encode binary security tokens – X.509 certificates, Kerberos, opaque encrypted keys  Who is implementing? – B2B application for company to company exchange 26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
How WS-Security fits in the Web Service Stack Management Portals Extended Composition/Orchestration Capabilities Secure Reliable Reliable WS-Security Transactions Messaging Transaction Endpoint identification, Publish/Subscribe XML Schema, WSDL, UDDI, Attachments Foundation Transport XML, SOAP Invocation Description HTTP, HTTPS 27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Misconceptions  Web services do not share some of the same vulnerabilities of web applications  WS-Security is all you need to solve security concerns within web services  XML firewalls and other technologies will protect against all WS attacks 28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Integrate Secure Development Lifecycle  Security Requirements – Set requirements to meet security objectives  Threat Modeling – Identify issues at the time of design – Assist in other phases of the development life cycle  Code Review – Identify issues at the time of implementation – Static vs Dynamic Analysis – Manual and Automated Tools  Penetration Testing – Blackbox vs White vs Grey Box Testing – Manual and Automated Tools 29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Web Services Security Nathan Sportsman Founder and Chief Executive Officer 30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Ad

Recommended

Introduction to Web Services
Introduction to Web ServicesIntroduction to Web Services
Introduction to Web Services
Ioannis Baltopoulos
 
Develop ASP.Net Web Service
Develop ASP.Net Web Service Develop ASP.Net Web Service
Develop ASP.Net Web Service
Safaa Farouk
 
Web Service Implementation Using ASP.NET
Web Service Implementation Using ASP.NETWeb Service Implementation Using ASP.NET
Web Service Implementation Using ASP.NET
Ponraj
 
Web Service Presentation
Web Service PresentationWeb Service Presentation
Web Service Presentation
guest0df6b0
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web services
Neil Ghosh
 
Soap web service
Soap web serviceSoap web service
Soap web service
NITT, KAMK
 
Java web services
Java web servicesJava web services
Java web services
kumar gaurav
 
Web Service
Web ServiceWeb Service
Web Service
Ashwani kumar
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)
Martin Necasky
 
Web service
Web serviceWeb service
Web service
Vaithiyanathan Govindarajan
 
Web service Introduction
Web service IntroductionWeb service Introduction
Web service Introduction
Madhukar Kumar
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
Peter R. Egli
 
Java Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web ServicesJava Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web Services
IMC Institute
 
Web service architecture
Web service architectureWeb service architecture
Web service architecture
Muhammad Shahroz Anwar
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
WebService-Java
WebService-JavaWebService-Java
WebService-Java
halwal
 
Java Web Services
Java Web ServicesJava Web Services
Java Web Services
Jussi Pohjolainen
 
Lecture 3 soap
Lecture 3 soapLecture 3 soap
Lecture 3 soap
Jetender Sambyal
 
Web services
Web servicesWeb services
Web services
Michael Weiss
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overview
Raveendra Bhat
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
Mandakini Kumari
 
Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)
Mehul Boricha
 
Web service introduction
Web service introductionWeb service introduction
Web service introduction
Sagara Gunathunga
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access Protocol
Masud Rahman
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
Adnan Masood
 
Introduction of WebServices
Introduction of WebServicesIntroduction of WebServices
Introduction of WebServices
Khasim Saheb
 
WCF tutorial
WCF tutorialWCF tutorial
WCF tutorial
Abhi Arya
 
Introduction to web services and how to in php
Introduction to web services and how to in phpIntroduction to web services and how to in php
Introduction to web services and how to in php
Amit Kumar Singh
 
2010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 201005062010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 20100506
Andy Maes
 
Mercantile Coffee House
Mercantile Coffee HouseMercantile Coffee House
Mercantile Coffee House
Ramakrishnan Mohan
 
Ad

More Related Content

What's hot (20)

Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)
Martin Necasky
 
Web service
Web serviceWeb service
Web service
Vaithiyanathan Govindarajan
 
Web service Introduction
Web service IntroductionWeb service Introduction
Web service Introduction
Madhukar Kumar
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
Peter R. Egli
 
Java Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web ServicesJava Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web Services
IMC Institute
 
Web service architecture
Web service architectureWeb service architecture
Web service architecture
Muhammad Shahroz Anwar
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
WebService-Java
WebService-JavaWebService-Java
WebService-Java
halwal
 
Java Web Services
Java Web ServicesJava Web Services
Java Web Services
Jussi Pohjolainen
 
Lecture 3 soap
Lecture 3 soapLecture 3 soap
Lecture 3 soap
Jetender Sambyal
 
Web services
Web servicesWeb services
Web services
Michael Weiss
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overview
Raveendra Bhat
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
Mandakini Kumari
 
Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)
Mehul Boricha
 
Web service introduction
Web service introductionWeb service introduction
Web service introduction
Sagara Gunathunga
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access Protocol
Masud Rahman
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
Adnan Masood
 
Introduction of WebServices
Introduction of WebServicesIntroduction of WebServices
Introduction of WebServices
Khasim Saheb
 
WCF tutorial
WCF tutorialWCF tutorial
WCF tutorial
Abhi Arya
 
Introduction to web services and how to in php
Introduction to web services and how to in phpIntroduction to web services and how to in php
Introduction to web services and how to in php
Amit Kumar Singh
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)
Martin Necasky
 
Web service
Web serviceWeb service
Web service
Vaithiyanathan Govindarajan
 
Web service Introduction
Web service IntroductionWeb service Introduction
Web service Introduction
Madhukar Kumar
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
Peter R. Egli
 
Java Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web ServicesJava Web Services [1/5]: Introduction to Web Services
Java Web Services [1/5]: Introduction to Web Services
IMC Institute
 
Web service architecture
Web service architectureWeb service architecture
Web service architecture
Muhammad Shahroz Anwar
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
WebService-Java
WebService-JavaWebService-Java
WebService-Java
halwal
 
Java Web Services
Java Web ServicesJava Web Services
Java Web Services
Jussi Pohjolainen
 
Lecture 3 soap
Lecture 3 soapLecture 3 soap
Lecture 3 soap
Jetender Sambyal
 
Web services
Web servicesWeb services
Web services
Michael Weiss
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overview
Raveendra Bhat
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
Mandakini Kumari
 
Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)
Mehul Boricha
 
Web service introduction
Web service introductionWeb service introduction
Web service introduction
Sagara Gunathunga
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access Protocol
Masud Rahman
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
Adnan Masood
 
Introduction of WebServices
Introduction of WebServicesIntroduction of WebServices
Introduction of WebServices
Khasim Saheb
 
WCF tutorial
WCF tutorialWCF tutorial
WCF tutorial
Abhi Arya
 
Introduction to web services and how to in php
Introduction to web services and how to in phpIntroduction to web services and how to in php
Introduction to web services and how to in php
Amit Kumar Singh
 

Viewers also liked (16)

2010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 201005062010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 20100506
Andy Maes
 
Mercantile Coffee House
Mercantile Coffee HouseMercantile Coffee House
Mercantile Coffee House
Ramakrishnan Mohan
 
Data as a service
Data as a service Data as a service
Data as a service
Devyani Vaidya
 
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Wen Zhu
 
Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance?
GovCloud Network
 
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
Amanda Whitmire
 
Interoperability for Intelligence Applications using Data-Centric Middleware
Interoperability for Intelligence Applications using Data-Centric MiddlewareInteroperability for Intelligence Applications using Data-Centric Middleware
Interoperability for Intelligence Applications using Data-Centric Middleware
Gerardo Pardo-Castellote
 
Towards Enterprise Interoperability Service Utilities
Towards Enterprise Interoperability Service UtilitiesTowards Enterprise Interoperability Service Utilities
Towards Enterprise Interoperability Service Utilities
Brian Elvesæter
 
SemTecBiz 2012: Corporate Semantic Web
SemTecBiz 2012: Corporate Semantic WebSemTecBiz 2012: Corporate Semantic Web
SemTecBiz 2012: Corporate Semantic Web
Adrian Paschke
 
System Architecture for C4I Coalition Operations
System Architecture for C4I Coalition OperationsSystem Architecture for C4I Coalition Operations
System Architecture for C4I Coalition Operations
Real-Time Innovations (RTI)
 
An Architecture for Data Intensive Service Enabled by Next Generation Optical...
An Architecture for Data Intensive Service Enabled by Next Generation Optical...An Architecture for Data Intensive Service Enabled by Next Generation Optical...
An Architecture for Data Intensive Service Enabled by Next Generation Optical...
Tal Lavian Ph.D.
 
Semantic interoperability courses training module 1 - introductory overview...
Semantic interoperability courses training module 1 - introductory overview...Semantic interoperability courses training module 1 - introductory overview...
Semantic interoperability courses training module 1 - introductory overview...
Semic.eu
 
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media WebPragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
Adrian Paschke
 
JavaZone 2016 : MQTT and CoAP for the Java Developer
JavaZone 2016 : MQTT and CoAP for the Java DeveloperJavaZone 2016 : MQTT and CoAP for the Java Developer
JavaZone 2016 : MQTT and CoAP for the Java Developer
Mark West
 
Cloud Interoperability
Cloud InteroperabilityCloud Interoperability
Cloud Interoperability
Amir Mohtasebi
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and REST
Pradeep Kumar
 
2010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 201005062010 ea conf ra track presentation 20100506
2010 ea conf ra track presentation 20100506
Andy Maes
 
Mercantile Coffee House
Mercantile Coffee HouseMercantile Coffee House
Mercantile Coffee House
Ramakrishnan Mohan
 
Data as a service
Data as a service Data as a service
Data as a service
Devyani Vaidya
 
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Semantic Mediation Bus: An Ontology-based Runtime Infrastructure for Service ...
Wen Zhu
 
Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance?
GovCloud Network
 
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
IDCC Workshop: Analysing DMPs to inform research data services: lessons from ...
Amanda Whitmire
 
Interoperability for Intelligence Applications using Data-Centric Middleware
Interoperability for Intelligence Applications using Data-Centric MiddlewareInteroperability for Intelligence Applications using Data-Centric Middleware
Interoperability for Intelligence Applications using Data-Centric Middleware
Gerardo Pardo-Castellote
 
Towards Enterprise Interoperability Service Utilities
Towards Enterprise Interoperability Service UtilitiesTowards Enterprise Interoperability Service Utilities
Towards Enterprise Interoperability Service Utilities
Brian Elvesæter
 
SemTecBiz 2012: Corporate Semantic Web
SemTecBiz 2012: Corporate Semantic WebSemTecBiz 2012: Corporate Semantic Web
SemTecBiz 2012: Corporate Semantic Web
Adrian Paschke
 
System Architecture for C4I Coalition Operations
System Architecture for C4I Coalition OperationsSystem Architecture for C4I Coalition Operations
System Architecture for C4I Coalition Operations
Real-Time Innovations (RTI)
 
An Architecture for Data Intensive Service Enabled by Next Generation Optical...
An Architecture for Data Intensive Service Enabled by Next Generation Optical...An Architecture for Data Intensive Service Enabled by Next Generation Optical...
An Architecture for Data Intensive Service Enabled by Next Generation Optical...
Tal Lavian Ph.D.
 
Semantic interoperability courses training module 1 - introductory overview...
Semantic interoperability courses training module 1 - introductory overview...Semantic interoperability courses training module 1 - introductory overview...
Semantic interoperability courses training module 1 - introductory overview...
Semic.eu
 
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media WebPragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
PragmaticWeb 4.0 - Towards an active and interactive Semantic Media Web
Adrian Paschke
 
JavaZone 2016 : MQTT and CoAP for the Java Developer
JavaZone 2016 : MQTT and CoAP for the Java DeveloperJavaZone 2016 : MQTT and CoAP for the Java Developer
JavaZone 2016 : MQTT and CoAP for the Java Developer
Mark West
 
Cloud Interoperability
Cloud InteroperabilityCloud Interoperability
Cloud Interoperability
Amir Mohtasebi
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and REST
Pradeep Kumar
 
Ad

Similar to Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures (20)

Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
jucaab
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
 
FATC UK - Real time collaborative Flex apps
FATC UK - Real time collaborative Flex appsFATC UK - Real time collaborative Flex apps
FATC UK - Real time collaborative Flex apps
Michael Chaize
 
Updated resume
Updated resumeUpdated resume
Updated resume
pavani p
 
WebLogic 12c - OMF Canberra June 2014
WebLogic 12c - OMF Canberra June 2014WebLogic 12c - OMF Canberra June 2014
WebLogic 12c - OMF Canberra June 2014
Joelith
 
Rahul Resume.doc
Rahul Resume.docRahul Resume.doc
Rahul Resume.doc
Rahul Choudhary
 
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Consuming Java EE in Desktop, Web, and Mobile Frontends
Consuming Java EE in Desktop, Web, and Mobile FrontendsConsuming Java EE in Desktop, Web, and Mobile Frontends
Consuming Java EE in Desktop, Web, and Mobile Frontends
Geertjan Wielenga
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
Rakesh Gujjarlapudi
 
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićJavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
Startup Cursos
 
Service Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices ArchitectureService Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices Architecture
PLUMgrid
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
Shilpin Pvt. Ltd.
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a Service
Paul Fremantle
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
jucaab
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
 
FATC UK - Real time collaborative Flex apps
FATC UK - Real time collaborative Flex appsFATC UK - Real time collaborative Flex apps
FATC UK - Real time collaborative Flex apps
Michael Chaize
 
Updated resume
Updated resumeUpdated resume
Updated resume
pavani p
 
WebLogic 12c - OMF Canberra June 2014
WebLogic 12c - OMF Canberra June 2014WebLogic 12c - OMF Canberra June 2014
WebLogic 12c - OMF Canberra June 2014
Joelith
 
Rahul Resume.doc
Rahul Resume.docRahul Resume.doc
Rahul Resume.doc
Rahul Choudhary
 
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
JavaCro'14 - Consuming Java EE Backends in Desktop, Web, and Mobile Frontends...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Consuming Java EE in Desktop, Web, and Mobile Frontends
Consuming Java EE in Desktop, Web, and Mobile FrontendsConsuming Java EE in Desktop, Web, and Mobile Frontends
Consuming Java EE in Desktop, Web, and Mobile Frontends
Geertjan Wielenga
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
Rakesh Gujjarlapudi
 
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićJavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
Startup Cursos
 
Service Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices ArchitectureService Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices Architecture
PLUMgrid
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
Shilpin Pvt. Ltd.
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a Service
Paul Fremantle
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Ad

Recently uploaded (20)

Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures

  • 1. Web Services Security Nathan Sportsman Founder and Chief Executive Officer 1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 2. Agenda  Web Service Introduction  Web Service Vulnerabilities  Web Service Countermeasures 2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 3. Introduction 3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 4. How Did We Get Here? SOAP / XML HTML HTML SOAP / XML 1st Generation 2nd Generation 3rd Generation Static HTML Web Applications Web Services 4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 5. Web Services Are  “…a software system designed to support interoperable machine-to-machine interaction over a network.”, W3C  Capable of connecting to external computing resources – Supply chain infrastructure – Outsourced computing infrastructure 5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 6. Web Services Primer Service Broker  Built on existing and emerging standards – HTTP, XML, SOAP, UDDI, WSDL, WS-*… UDDI  Capabilities – Loosely coupled – Language neutral WSDL WSDL – Platform and transport independent – Interoperability SOAP Client Service Provider 6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 7. Web Service Interoperability Example Embedded device Financial Transaction Gateway Billing Services C++ on Linux/ARM C on AIX/PowerPC Java on NT/X86 Web Service Web Service Web Service 7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 8. Web Service Vulnerabilities 8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 9. Attack Taxonomies  Spoofing  Tampering  Repudiation  Information Disclosure  Denial of Service  Escalation of Privileges 9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 10. Web Services Vulnerabilities  Existing and emerging vulnerabilities apply – Brute Force – Information Disclosure – SQL Injection – LDAP Injection – Session Hijacking – Denial of Service (DoS) – Buffer Overflows – Cross Site Scripting – XML Injection – XPATH Injection – WSDL Manipulation – DOS (Intensive XML load) – … 10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 11. SQL Injection  Possible when user input provided through web service used in queries to backend database <?xml version=“1.0” encoding=“utf-8” standalone=“no” ?> <SOAP-ENV:Envelope xmlns:SOAPSDK1=“http://www.w3.org/2001/XMLSchema”xmlns:SOAP SDK2=“http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAPSDK3=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/> <SOAP-ENV:Body> <SOAPSDK4:MethodName xmlns:SOAPSDK4=“http://urltoapp/…”> <SOAPSDK4:username>administrator</SOAPSDK4:username> <SOAPSDK4:password>’ OR ‘1’=‘1</SOAPSDK4:password> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 12. Buffer Overflow  Buffer Overflows – Not as prevalent except on older legacy systems and embedded devices written in unmanaged code – Large string parameters extending beyond allocated memory – No bounds checking <SOAP-ENV:Envelope> <SOAP-ENV:Body> <parameter1> lkasdllkdlfa;jkia;refjeoinveroinanlekrngaerinrlgerinreglnag linealinrglanirnaocnilrncoraeincelrgfnerginegnoeingerongoer ingeg… </SOAP-ENV:Body> </SOAP-ENV:Envelope> 12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 13. XML Injection  External input is not validated and passed in XML stream parsed by second-tier software  Alters XML structure by injecting malicious data  John Smith escalates privileges by changing his User ID from 100 to 0 <MyRec> <UserId>100</UserId> <Username>jsmith</Username><Uid>0</Uid><Username>jsmith</Username> </MyRec> 13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 14. XPATH Injection  Similar to SQL injection attack  Information stored and retrieved from XML document instead of relational database //users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1] 14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 15. Denial of Service  XML parsing can be expensive • Extremely large / complex XML documents • Deeply nested tags • These can create extremely large memory footprints or utilize many CPU cycles … <SOAP-ENV:Body> <BuildNestedXMLResponse xmlns=http://someap”> <BuildNestedXMLResult> <XML 1> <XML 2> <XML 3> <XML 4/> </XML 3> </XML 2> </XML 1> </BuildNestedXMLResult> </BuildNestedXMLResponse> … 15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 16. Web Services Countermeasures 16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 17. Defense Taxonomies  Configuration Management  Authentication  Authorization  User & Session Management  Data Validation  Error & Exception Handling  Logging & Auditing  Data Protection (Storage & Transit) 17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 18. Configuration Management  Internet facing WSDLs can be found with Google hacking (filetype:wsdl inurl:wsdl)  Review WSDLs for dangerous or antiquated functions  Ensure hidden, debugging, or any non-production functions are removed before deployment  Make sure they are not recreated automatically 18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 19. Authentication & Authorization  Can be accomplished in various ways with various protocols  Username/password, Certificates, etc  Educate yourself on the characteristics of protocols available before deciding 19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 20. Session Management  Use proven methods to generate session IDs  Do not reinvent the wheel and attempt to create your own  Utilize transport encryption to prevent eavesdropping / modification of session data  Use transport and element encryption to prevent replay / injection attacks 20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 21. Data Validation  Validate and sanitize all input from external sources  Sanitize all output of potentially malicious characters in respect to the next tier (i.e. Database, XML stream, LDAP directory, etc.)  If possible, consider a default deny policy with a white list of allowed input 21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 22. Logging & Auditing  Consider using an existing logging framework  Centralize location of log files  Ensure logs provide enough information for non-repudiation of action  Do not log password, credit cards or other sensitive information 22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 23. Error & Exception Handling  Test for DoS conditions in QA/QC procedures  Define and enforce data file types and sizes  Check document complexity before handing to parser – XML “Firewall”, etc.  Use strict XML schema verification  Create custom error messages with minimal information to be returned by web services 23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 24. Data Protection (In Storage & Transit)  Two mechanisms for encryption, SSL and WS-Security  Disadvantages of WS-Security – Harder, more complex to implement (Easier to do wrong) – Larger attack surface (Attacker has a lot more to play with) vs. SSL with client certificates – Only explicitly encrypted / signed data are protected  Advantages of WS-Security – WS-Security offers end-to-end Security (Instead of point-to-point) – Transport agnostic – No longer an all or nothing approach – Less over head, especially in stateless web services (debatable) 24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 25. SSL  Well understood and vetted technology  Provides the functionality needed for most web service deployments  Who is implementing SSL? – ISVs adding web service interface to their product (SSL) – Internet Companies exposing part of their service through web interface for consumption (SSL) – Internally distributed application previously using older technologies for inter-application communication (SSL) * By far majority of engagements, products, and web services we’ve seen implement SSL solution 25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 26. WS-Security  Enhances SOAP – Provides a framework for message integrity and confidentiality – Token type-, Encryption scheme-, and Signature scheme-agnostic  Associates security tokens with messages  Message integrity provided by XML Digital Signatures in conjunction with security tokens  Message confidentiality provided by XML Encryption in conjunction with security tokens  Describes mechanism to encode binary security tokens – X.509 certificates, Kerberos, opaque encrypted keys  Who is implementing? – B2B application for company to company exchange 26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 27. How WS-Security fits in the Web Service Stack Management Portals Extended Composition/Orchestration Capabilities Secure Reliable Reliable WS-Security Transactions Messaging Transaction Endpoint identification, Publish/Subscribe XML Schema, WSDL, UDDI, Attachments Foundation Transport XML, SOAP Invocation Description HTTP, HTTPS 27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 28. Misconceptions  Web services do not share some of the same vulnerabilities of web applications  WS-Security is all you need to solve security concerns within web services  XML firewalls and other technologies will protect against all WS attacks 28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 29. Integrate Secure Development Lifecycle  Security Requirements – Set requirements to meet security objectives  Threat Modeling – Identify issues at the time of design – Assist in other phases of the development life cycle  Code Review – Identify issues at the time of implementation – Static vs Dynamic Analysis – Manual and Automated Tools  Penetration Testing – Blackbox vs White vs Grey Box Testing – Manual and Automated Tools 29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 30. Web Services Security Nathan Sportsman Founder and Chief Executive Officer 30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

Editor's Notes

  • #3: Threat Modeling © 2009 Praetorian. All rights reserved. According to BSIMM all 9 organizations surveyed include security activities in the design phase; however, these are companies such as Microsoft, Google, Adobe, etc where a real and concerted efforts is being made in the way of software security. Most of the focus by organizations, vendors, and service providers is on backend security controls in the development and testing phases such as code reviews (static analysis) or application penetration tests (dynamic analysis). Odd considering the cost benefit analysis graph presented earlier
  • #5: Web Service Security © 2009 Praetorian. All rights reserved. The first generation of Web applications was largely about delivering non-interactive content, i.e. publishing non-interactive HTML pages. For example, many applications simply operated in client/server mode and rendered HTML pages to send across the internet to browsers. The second generation of Web applications was about creating applications usable over the Web. E-commerce is an example; you can go to http://www.barnesandnoble.com/ select books, order them and pay for them. This second generation also includes a more scalable back-end (e.g. WinDNA architecture) and a richer UI (e.g. DHTML and ActiveX). However, useful though they may be, the second generation largely resulted in application islands on the Web. Yes, there are hyperlinks between sites, but for the most part, the actual applications at different sites do not interact. The third generation of Web application is using Web protocols and XML throughout to allow better integration between services on the Web. Protocols such as XML and SOAP allow you to create Web Services, enabling people and companies to easily create integrated appliabout cations.
  • #6: Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
  • #7: Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
  • #8: Web Service Security © 2009 Praetorian. All rights reserved. The idea here is that the server on the bottom is using web services to communicate with disparate systems using a common language
  • #12: Here the parameters in the SOAP envelope have been injected with SQL to bypass authentication by always returning true (I.e SELECT * from UserTable where username= ‘administrator’ and password=‘’ OR ‘1’=‘1’;
  • #18: Error &amp; Exception Handling Logging &amp; Auditing
  • #26: Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
  • #27: Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
  • #28: Web Service Security © 2009 Praetorian. All rights reserved. A high level overview of WS-Security. The important point here is that it sits on top of the standard web services architecture to provide security, reliability and transactions