XML Threats & Web Services Vulnerabilities

Understanding Risk and Protection

Layer 7 Technologies

White Paper
XML Threats and Web Services Vulnerabilities

Contents

Overview ................................................................
................................................................................................
....................................................... 3
A Complete Framework ................................
................................................................................................................................
................................ 3
Prevention................................................................
................................................................................................
................................................. 3
Protection ................................................................
................................................................................................
................................................. 3
Screening................................................................
................................................................................................
................................................... 3
Message-Level
Level Prevention, Protection, and Screening ................................................................
................................................ 3
Parameter Tampering ................................
...............................................................................................................................
............................... 4
Recursive Payloads................................
................................................................................................................................
.................................... 4
Oversized Payloads ................................
................................................................................................................................
................................... 4
Coercive Parsing ................................
................................................................................................................................
........................................ 4
Schema Poisoning ................................
................................................................................................................................
..................................... 4
WSDL Scanning................................
................................................................................................................................
.......................................... 5
Routing Detours ................................
................................................................................................................................
........................................ 5
External Entity Attacks ................................
..............................................................................................................................
.............................. 5
SQL or XQuery Injection ................................
............................................................................................................................
............................ 5
Replay Attacks ................................
................................................................................................................................
........................................... 5
XML Morphing ................................
................................................................................................................................
.......................................... 6
Summary ................................................................
................................................................................................
....................................................... 6
About Layer 7 Technologies ................................
................................................................................................
.......................................................... 7
Contact Layer 7 Technologies ................................
................................................................................................
....................................................... 7
Legal Information ................................
................................................................................................................................
.......................................... 7

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 2
XML Threats and Web Services Vulnerabilities

Overview
XML-based
based Web services are becoming a more pervasive foundation technology for integrat integrating
ing applications and
exchanging data in Service Oriented Architectures (SOA(SOAs). Like all new technologies, however, XML-based
XML Web
services also present new security challenges in the form of XML data structures, granular application calls, input
data, or executable attachments,
ments, all of which can be maliciously constructed to damage or expose
expo a receiving
application. XML-based
based Web services compound the number of vulnerabilities by providing access to application
APIs and target applications. The distributed, peer
peer-to-peer
peer nature of Web services also introduces bilateral threats
and vulnerabilities
lities that can be passed through multiple ap
application hops.

This white paper reviews various XML- and/or Web services-specific

specific threats that have been identified as potential
exploits; examines how to address these threats, and discusses what a complete threat protection solution should
provide.

A Complete Framework
A complete threat-protection
protection framework needs to address three key functions: Prevention, Protection, and
Screening.

Prevention
A protection framework must ensure the secure flow of messages b by blocking potential message
sage-level exploits like
the insertion of attacks into the message stream. Message signing, sequence numbers, and the use of Public Key
Infrastructure (PKI) between clients and services helps ensure message integrity, and provides specific protection
against man-in-the-middle
middle and replay attacks.

Protection
Software or infrastructure must be able to protect not only itself, but also downstream systems against attacks
that are designed to render it inoperable. Well
Well-known Web space attacksacks such as Denial of Service (DoS), payload
poisoning, and external commands are a threat in XML and Web services deployments. A well well-designed
designed processing
architecture combined with specific safeguards can help protect against operability attacks.

Screening
Message-level
level screening should encompass all traditional firewall functions, as well as permit the system
administrator to allow or deny specific messages or actions. These functions in include
clude comprehensive schema
validation, integrity enforcement, encry
encryption/decryption, messagesage content queries, identity verification, and other
allow or deny criteria. The ability to dele
delegate
gate or offload specific payload processing to other best-in-class
best systems
(such as a virus scan engine) allows security managers to ta tailor
ilor the scope of the message screening,
screening as required.

Message-Level
Level Prevention, Protection, and Screening
The first step in protecting critical Web services resources is to ensure that all incoming mes
messages
sages are screened for
potential threats to the downstream
tream service, or to the protection infra
infrastructure
structure itself. Some of these threats may
be the result of poorly designed or poorly imple
implemented client-side
side code, while others may be malicious. In either
case, administrators need the flexibility to identify aand react to non-conforming
conforming messages and operations, while
allowing secure access by trusted parties. This requires dedicated, purpose
purpose-built
built technology designed to process
XML and Web services protocols as thoroughly and efficiently as possible.

Layer 7’s SecureSpan™ XML Data Screen is the first Service Oriented Architecture/Web
Architecture/Web-Oriented
ented Architecture
(WOA) XML appliance specifically designed to cleanse XML data streams of threats, vulnerabilities and
unauthorized content for all common XML message formats, including Plain Old XML (POX), Simple Object Access
Protocol (SOAP), Representational State Transfer (REST) and Asynchronous JavaScript And XML (AJAX).

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 3
XML Threats and Web Services Vulnerabilities

Acting as a content filter, the XML Data Screen can be configured to scan, expurgate or transform all malicious or
malformed data, classified or unwanted “dirty” words, and AJAXAJAX-generated
generated scripts. Policies can be defined to
remove, block or transform illegal data or entire messages. Traffic to specific end
end-points
points can be restricted or
throttled based on userr defined traffic limits
limits, data formats or REST-based
based URLs. The following list reviews various
XML and Web services threats, and discusses how the SecureSpan XML Data Screen addresses these threats on a
message-by-message basis.

Parameter Tampering
Parameters are used to send client-specific
specific information to a Web service so that a certain remote operation can be
executed. Instructions on how to use parameters are described in a Web Services Description Language (WSDL)
document. An attacker could potentially m
manipulate
late the parameter options to retrieve unauthorized information.

The SecureSpan XML Data Screen uses strict schema validation and XPath queries to verify parameter content and
ensure that parameters are used for legitimate purposes only. Additionall
Additionally,
y, the SecureSpan Manager’s WSDL tool
can expose only a specific subset of the WSDL code, further restricting potential exploits.

Recursive Payloads
XML can nest elements within a document to address complex relationships, such as a pur purchase
chase order that
includes
cludes shipping and billing addresses and quantities. Attackers can at
attempt
tempt to break an XML parser by creating a
file with thousands of nested elements.

The SecureSpan XML Data Screen can apply both schema validation and nesting depth limits that will deny these
types of attacks. If elements are unreasonably nested, the SecureSpan FastPath XML parser will stop parsing and
reject the message when the predefined
defined nesting threshold is crossed

Oversized Payloads
Because XML is relatively verbose, document
documents can potentially become very large. While programmers
grammers can limit a
document’s size, there are a number of reasons why a file may take up hundreds of megabytes or even gigabytes.
Large file sizes, however, could also mean that an attacker is attempting to manipulate the parser to execute an
XML Denial of Service (XDoS) attack.

The SecureSpan XML Data Screen’s policy

policy-driven
driven processing model ensures that all message parsing is executed by
explicitly-defined
defined policy expectations rather than by the arbitrary content
tent of message payloads. Therefore, an
XDoS attack will not impact the SecureSpan
SecureSpan’s parser itself. If downstream applications are particularly sensitive to
message size, then size thresholds can also be enforced at the Data Screen.

Coercive Parsing
A coercive parsing attack attempts to exploit the “bolt
“bolt-on”
on” interfaces used to link legacy systems with XML
components in an existing infrastructure. The attack tries to overwhelm a system’s processing capabilities or install
malicious mobile code.

The SecureSpan
ureSpan XML Data Screen protects back
back-end
end systems and limits Web service access by enforcing strict
policy compliance. Attackers without appropriate credentials will be denied access to the protected Web service.
Schema validation and size restriction chec
checks
ks can also be used to ensure that messages comply with expected
parameters and do not overwhelm any “bolt
“bolt-on” components.

Schema Poisoning
XML schemas model an XML document’s grammar and template structure. Parsers use schemas to properly
interpret Web service
rvice messages. Since schemas describe necessary pro
processing
cessing instructions, they are vulnerable to
tampering if not stored securely. An attacker may attempt to compromise the schema file itself and replace it with
a similar but modified one at a different llocation.

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 4
XML Threats and Web Services Vulnerabilities

The SecureSpan XML Data Screen does not load schemas from unauthorized locations. All schema locations are
configured by the SecureSpan Manager administrator independent of the sender. Administrators can also choose
to load the schema files once and persist the schemas locally in the XML Data Screen, blunting the impact of any
changes to the source file.

WSDL Scanning
WSDL is a mechanism for Web services to dynamically describe the parameters used when connecting to
commands that accept input from external sources. WSDL files are often built automatically using tools designed
to expose and describe all information available in a command. An attacker might cycle through the various
command and string combinations to discover unintentionally related or unpublished application program
interfaces.

The SecureSpan XML Data Screen selectively proxies all internal WSDLs, shielding access to the original WSDLs on
application servers. The Data Screen will deny direct access to all WSDLs even when an attacke
attackerr guesses a related
unpublished WSDL. The SecureSpan Manager’s WSDL tool can also expose only a specific subset of an exposed
WSDL, further restricting potential exploits.

Routing Detours
The Web Services routing specification helps direct XML traffic thro
through
ugh an environment by allowing a way station
in an XML path to assign routing instructions to a document. However, the way stations can be compromised,
allowing attackers to insert bogus instructions to re
re-route
route a confidential file. The attackers can then strip out the
malicious instructions before forwarding the document to its destination.

The SecureSpan XML Data Screen is typically deployed in front of any way stations
stations, and therefore
fore protects against
direct access. The enforcement of message
message-level security
urity through XML signing and encryption ensures the integrity
of routing-specific
specific fields and the payload itself, identifying and preventing any tampering.

External Entity Attacks

XML can build documents dynamically by pointing to a Uniform Resource Identi
Identifier
fier (URI) where the actual data
exists. These external entities may not be trustworthy, as an attacker could replace the data being retrieved with
malicious data.

By default, the SecureSpan XML Data Screen does not resolve external entities. The Data Scr
Screen
een can be configured
through the XPath policy assertion to block all mes
messages
sages containing references to external entities.

SQL or XQuery Injection

By executing multiple commands in an input file, SQL or XQuery injection could be used by an attacker to execute
exe
multiple commands in an input field, allowing access to native stored procedures or un
un-validated
validated commands.

The SecureSpan XML Data Screen’s schema validation process verifies that the basic structure of the message
conforms to defined expectations. Built
uilt-in filters for vendor-specific
specific SQL attacks can be applied to all messages,
and an XPath scan can also be used to detect and reject specific commands (such such as SQL Selects)
Selects on a service-by-
service basis.

Replay Attacks
In a replay attack, attackers intercept
rcept and re
re-issue
issue messages that have already been validated and processed in an
attempt to force the operation to be performed multiple times. This can result in data inconsistency (such as when
money is transferred or deposited many times), or even reduc
reduced
ed availability of the Web service with rapid replays.

The SecureSpan XML Data Screen creates and caches a unique identifier for each message. Every time a message is
processed, it is checked against the cache to ensure it is not a replay of a former message. In a cluster, each node

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 5
XML Threats and Web Services Vulnerabilities

checks the central cache, ensuring

nsuring messages can
cannot
not simply be routed around the caching node. The cache can be
set by the administrator to expire after an acceptable time delay.

XML Morphing
XML can be legitimately transformed for any number of reasons, but malicious morphing can transform
tr an XML
document and its contents into something completely different than its source intended. This can be exploited by
an attacker to cause unexpected or inappropriate behavior of previously legitimate messages.

The SecureSpan XML Data Screen doess not apply embedded transformations from external entities without
administrator permission. Schema validation can also be used to ensu
ensure
re the rejection of any message whose
format does not match expectations.

Summary
In many ways, XML- and Web services--specific
ecific threats are no different from existing forms of threats and attacks.
The unique challenge is ensuring that an XML protection strategy is in place before Web services become widely
deployed.

The SecureSpan XML Data Screen processing model is designed to screen out XML threats in real-time
real before they
consume valuable internal resources, helping to reduce the impact of many attacks and ensure a high-availability
high
Web services deployment.

While intelligent application design and basic network se

security measures are still very important,
tant, the SecureSpan
XML Data Screen is a highly effective solution for protecting XML
XML- and Web services-based
based applications.

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 6
XML Threats and Web Services Vulnerabilities

About Layer 7 Technologies

With offices in San Mateo, California; New York, New York; and V Vancouver,
ancouver, British Columbia, Canada; Layer 7
Technologies helps enterprises accomplish secure and cost
cost-effective
effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
future-proof their Web services investments.
ments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.

Contact Layer 7 Technologies

Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
604-681-9377
1-800-681-9377 (toll free)

Fax:
604-681-9387

Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005

Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada

Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other m
mentioned
entioned trade names and/or
trademarks are the property of their respective owners.

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 7