[OWASP-Chapters] Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???

Wed Jun 8 04:06:06 EDT 2005

Hello All,
(first posting from a 'top ten' adopter)

I suggest that authentication is the one to do first. But, there are arguments on both sides. The advantage of authentication is that it can reduce the risk of malicious data attack. An attacker may send a payload aimed at doing damage during the xml parsing or data-validation utility (DV). I know that the DV is made with the intention of being resistant to this, but complex messages might be hard to validate safely. This is in contrast to messages received from html forms, which can be safely validated if they are all text strings.

Going further, there's a case for splitting the validation process. First, a 'sanity check' on the message. Then, authenticate. Finally, proper validation. For example; 
1- Check that is valid XML or SOAP. Maybe some broadly application-specific stuff, such as checking that the message only has text elements, no non-parse 'CDATA' bits. Or, that it is smaller than a certain size. 
2- Authenticate username/password
3- Application-specific data validation.
This may sound over-elaborate, but I don't think it's too bad. A typical environment might have a dedicated web-server (Apache, perhaps) in front of an Application Server (WebLogic, perhaps). The 'step 1' above could be efficiently done in the Apache, and a category of bad messages blocked within the DMZ. The same basic sanity check should work for many or all applications. Then again, this step can also be done by many firewall products, so may not be worth getting into.

bye,
John M
__________________
John Marmelstein
www.StrongPoint.ie

>"Eoin Keary" <eoinkeary at hotmail.com> wrote:
> Hi,
> Just I'd throw this out so see opinion:
> 
> A webservice:
> Uses HTTPS. The Payload (SOAP) is in the HTTP Header.
> The password and UserId are also in the HTTP header as header parameters.
> (We can see the obvious issues here already?!#!?)
> 
> So,
> The service needs a requester to be authenticated.
> So sneding SOAP request (Over HTTPS) to this service gives us "Access 
> Denied" as I put in an incorrect password...ok so far
> Sending a modified request which the XML schema does not like (malformed 
> request for example) gives us a Data validation error....So DV is done 
> before authentication.
> 
> Which should come first in the case of webservices...?
> DV or Auth.
> If DV is first we may be able to do a DoS by sending 1000's of requests, 
> each one needing to be DV'ed. (Webservices are prone to DOS attacks).
> By doing Auth first, we need to DV the userId and password, Authenticate and 
> then continue with the DV, which is complex....
> 
> Anyone have any ideas which should be first, the "chicken or the egg"?
> I have my own opinions but what do you good people think?

_________________________________________________________________
eircom broadband is now up to four times faster than before.
Phone 1850 73 00 73 or visit http://home.eircom.net/broadbandoffer