News

New hackers take on Web services

• By Rich Seeley
• August 27, 2003

Are you ready for the next generation of XML Web services hacks?

They will include "Web service-enabled application attacks," according to Steve Orrin, CTO at Sanctum Inc. (www.sanctuminc.com), a Web application security software vendor in Santa Clara, Calif.

With recent evidence of how much potential damage can be worked into a standard e-mail with attachments, the vulnerabilities of SOAP messages in Web services is not difficult to imagine.

Orrin uses the example of an entity expansion attack where the hacker would find a Web service that echoes back user data. A SOAP request can then be crafted that results in it sending back data from the application server.

"The essence of this attack is to exploit a mechanism of the XML parser in order to access resources outside the current document," Orrin explained. "This can be used to attack the current server, other servers, or to download data from the current or other servers."

This is only one of a series of XML attack scenarios Orrin sees as Web services applications proliferate. Among the vulnerabilities he lists: SAP BAPIs may be vulnerable to hacks written into SOAP messages, nefarious SQL commands may be injected in XQuery, and XML Schema may be redirected.

For IT professionals who spent much of August trying to guard against dangerous e-mail, the next generation of Web services attacks looks like a nightmare.

Seeking to address the problem, Sanctum announced availability this week of its AppScan 4.0 testing tools, including an Audit Edition that tests for security vulnerabilities such as the entity expansion attack in Orrin's example.

Web services support in the tool tests for a wide array of vulnerabilities found in XML and SOAP, according to Orrin.