[OWASP-Chapters] Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???
Eoin.Keary at allianz.ie
Eoin.Keary at allianz.ie
Wed Jun 8 05:38:04 EDT 2005
I was chatting to Dr Tony Palmer of Vordel about this last week.
The first thing from the point of not doing any extra CPU time for
unauthenticated requests to the authenticate.
One solution is not to have the UserId and password "In band", inside the
SOAP message so we auth then DV. Use Out of Band credentials (in the HTTP
request as opposed to the XML message)
Using a SAX parser instead of a DOM to do initial parsing would also help
Some of the Vordel suite of solutions can actually talk to the firewall to
block suspected rogue requests.
An XML schema on both sides of the transaction is also a good idea if
possible, but it cant be guaranteed that the requesting entity shall use
the schema to validate their request and can not be relied on in its
Anyways, We (Ireland OWASP) hope to have Dr Palmer (or one of his
colleagues) give us a presentation on Webservices security at the next
IT Security (Tech Admin)
Security Projects Division
Dir: + 353-1-613-3490
Mob: + 353-87-904-1922
Mailto:eoin.keary at allianz.ie
Ph 01 6133490
"John Marmelstein" <marmelstein at eircom.net>
Sent by: owasp-ireland-admin at lists.sourceforge.net
06/08/2005 08:06 AM
Please respond to
<marmelstein at eircom.net>
owasp-ireland at lists.sourceforge.net, owasp-chapters at lists.sourceforge.net
Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???
(first posting from a 'top ten' adopter)
I suggest that authentication is the one to do first. But, there are
arguments on both sides. The advantage of authentication is that it can
reduce the risk of malicious data attack. An attacker may send a payload
aimed at doing damage during the xml parsing or data-validation utility
(DV). I know that the DV is made with the intention of being resistant to
this, but complex messages might be hard to validate safely. This is in
contrast to messages received from html forms, which can be safely
validated if they are all text strings.
Going further, there's a case for splitting the validation process. First,
a 'sanity check' on the message. Then, authenticate. Finally, proper
validation. For example;
1- Check that is valid XML or SOAP. Maybe some broadly
application-specific stuff, such as checking that the message only has
text elements, no non-parse 'CDATA' bits. Or, that it is smaller than a
2- Authenticate username/password
3- Application-specific data validation.
This may sound over-elaborate, but I don't think it's too bad. A typical
environment might have a dedicated web-server (Apache, perhaps) in front
of an Application Server (WebLogic, perhaps). The 'step 1' above could be
efficiently done in the Apache, and a category of bad messages blocked
within the DMZ. The same basic sanity check should work for many or all
applications. Then again, this step can also be done by many firewall
products, so may not be worth getting into.
>"Eoin Keary" <eoinkeary at hotmail.com> wrote:
> Just I'd throw this out so see opinion:
> A webservice:
> Uses HTTPS. The Payload (SOAP) is in the HTTP Header.
> The password and UserId are also in the HTTP header as header
> (We can see the obvious issues here already?!#!?)
> The service needs a requester to be authenticated.
> So sneding SOAP request (Over HTTPS) to this service gives us "Access
> Denied" as I put in an incorrect password...ok so far
> Sending a modified request which the XML schema does not like (malformed
> request for example) gives us a Data validation error....So DV is done >
> Which should come first in the case of webservices...?
> DV or Auth.
> If DV is first we may be able to do a DoS by sending 1000's of requests,
> each one needing to be DV'ed. (Webservices are prone to DOS attacks).
> By doing Auth first, we need to DV the userId and password, Authenticate
> then continue with the DV, which is complex....
> Anyone have any ideas which should be first, the "chicken or the egg"?
> I have my own opinions but what do you good people think?
eircom broadband is now up to four times faster than before.
Phone 1850 73 00 73 or visit http://home.eircom.net/broadbandoffer
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you
a projector? How fast can you ride your desk chair down the office luge
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
OWASP-Ireland mailing list
OWASP-Ireland at lists.sourceforge.net
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
contact the Helpdesk at 3955.
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of the Allianz Group, Europe's leading global insurer and provider of financial services.
For more information on our products and services log on to www.allianz.ie or call us on (01)613 3000.
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender and delete the material from your computer.
Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA).
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-chapters