At DefCon 13, Alex Stamos of iSec Partners gave a very interesting talk entitled “Attacking Web Services”. In summary, there are currently three known web service attack techniques:
- Injecting XML into an input box, overwriting tags set earlier in the SOAP XML stream
- Injecting XPath search queries into an input box, thwarting the select Boolean logic
- Creating a valid but very deep and complex SOAP header, causing the web service to consume a large amount of system resources (a denial of service attack).
The XML and XPath injection techniques are very similar to common SQL injection techniques used to infiltrate web applications that build SQL queries directly from user input (see http://www.securiteam.com/securityreviews/5DP0N1P76E.html for a good review of SQL injection). The solution to XML and XPath injections is the same: remove or escape special characters (brackets and quotes) from user input before processing the data. While data cleaning issues have been known for a long time, new tutorials and examples still do not do them, leading to a whole new generation of programmers who write insecure code.
A simple technique to counteract a complex SOAP header DoS attack is to limit the maximum size of a web service request. The following Microsoft TechNet article describes how to limit request size in IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;310156&sd=tech. For limiting the request size in Apache see: http://perl.apache.org/docs/2.0/api/Apache2/SizeLimit.html.
The full presentation on “Attacking Web Services” is available at: http://www.isecpartners.com/documents/iSEC-Attacking-Web-Services.DefCon.pdf.