Validation against malformed XML entities.Content validation for XML input should include: Rule: Like any web application, web services need to validate input before consuming it. Rule: The XSD defined for a SOAP web service should define strong (ideally allow-list) validation patterns for all fixed format parameters (e.g., zip codes, phone numbers, list values, etc.). Rule: The XSD defined for a SOAP web service should, at a minimum, define the maximum length and character set of every parameter allowed to pass into and out of the web service. Rule: Web services must validate SOAP payloads against their associated XML schema definition ( XSD). Schema validation enforces constraints and syntax defined by the schema. Ideally, any administrative capabilities would be in an application that is completely separate from the web services being managed by these capabilities, thus completely separating normal users from these sensitive functions. Rule: Ensure access to administration and management functions within the Web Service Application is limited to web service administrators. This should be done on every request, and a challenge-response Authorization mechanism added to sensitive resources like password changes, primary contact details such as email, physical address, payment or delivery instructions. Following an authentication challenge, the web service should check the privileges of the requesting entity whether they have access to the requested resource. Rule: A web service should authorize its clients whether they have access to the method in question. A web service needs to make sure a web service client is authorized to perform a certain action (coarse-grained) on the requested data (fine-grained). Web services need to authorize web service clients the same way web applications authorize users. Rule: Messages containing sensitive data that must remain encrypted at rest after receipt must be encrypted with strong data encryption, not just transport encryption. This could be transport encryption or message encryption. Rule: Messages containing sensitive data must be encrypted using a strong encryption cipher. Message Confidentiality ¶ĭata elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute-forcing. This signature can be validated by the recipient using the sender's digital certificate (public key). Rule: For XML data, use XML digital signatures to provide message integrity using the sender's private key. For the same reason, encryption does not ensure the identity of the sender. When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver's public key is public. The integrity of data in transit can easily be provided by TLS. Rule: Enforce the same encoding style between the client and the server. SOAP encoding styles are meant to move data between software objects into XML format and back again. Rule: Client Certificate Authentication using Mutual-TLS is a common form of authentication that is recommended where appropriate. Rule: If used, Basic Authentication must be conducted over TLS, but Basic Authentication is not recommended because it discloses secrets in plan text (base64 encoded) in HTTP Headers. Such authentication is usually a function of the container of the web service. User authentication verifies the identity of the user or the system trying to connect to the service. The service consumer should verify the server certificate is issued by a trusted provider, is not expired, is not revoked, matches the domain name of the service, and that the server has proven that it has the private key associated with the public key certificate (by properly signing something or successfully decrypting something encrypted with the associated public key). Rule: TLS must be used to authenticate the service provider to the service consumer. For more information on how to do this properly see the Transport Layer Protection Cheat Sheet. This is recommended even if the messages themselves are encrypted because TLS provides numerous benefits beyond traffic confidentiality including integrity protection, replay defenses, and server authentication. Rule: All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well-configured TLS. Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to/from the server. Please notice that due to the difference in implementation between different frameworks, this cheat sheet is kept at a high level. This article is focused on providing guidance for securing web services and preventing web services related attacks. Web Service Security Cheat Sheet ¶ Introduction ¶ Insecure Direct Object Reference Prevention
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |