[OWASP-Chapters] Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???

Eoin.Keary at allianz.ie Eoin.Keary at allianz.ie
Wed Jun 8 05:38:04 EDT 2005 

Hi John,
I was chatting to Dr Tony Palmer of Vordel about this last week.
The first thing from the point of not doing any extra CPU time for 
unauthenticated requests to the authenticate.
One solution is not to have the UserId and password "In band", inside the 
SOAP message so we auth then DV. Use Out of Band credentials (in the HTTP 
request as opposed to the XML message)

Using a SAX parser instead of a DOM to do  initial parsing would also help 
performance.
Some of the Vordel suite of solutions can actually talk to the firewall to 
block suspected rogue requests.

An XML schema on both sides of the transaction is also a good idea if 
possible, but it cant be guaranteed that the requesting  entity shall use 
the schema to validate their request and can not be relied on in its 
entirety.

Anyways, We (Ireland OWASP) hope to have Dr Palmer (or one of his 
colleagues) give us a presentation on Webservices security at the next 
OWASP meeting.

Eoin








Eoin Keary
Contractor
Allianz Ireland
IT Security (Tech Admin)
Security Projects Division
Dir: + 353-1-613-3490
Mob: + 353-87-904-1922
Mailto:eoin.keary at allianz.ie
Ph  01 6133490




"John Marmelstein" <marmelstein at eircom.net> 
Sent by: owasp-ireland-admin at lists.sourceforge.net
06/08/2005 08:06 AM
Please respond to
<marmelstein at eircom.net>


To
owasp-ireland at lists.sourceforge.net, owasp-chapters at lists.sourceforge.net
cc

Subject
Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???







Hello All,
(first posting from a 'top ten' adopter)

I suggest that authentication is the one to do first. But, there are 
arguments on both sides. The advantage of authentication is that it can 
reduce the risk of malicious data attack. An attacker may send a payload 
aimed at doing damage during the xml parsing or data-validation utility 
(DV). I know that the DV is made with the intention of being resistant to 
this, but complex messages might be hard to validate safely. This is in 
contrast to messages received from html forms, which can be safely 
validated if they are all text strings.

Going further, there's a case for splitting the validation process. First, 
a 'sanity check' on the message. Then, authenticate. Finally, proper 
validation. For example; 
1- Check that is valid XML or SOAP. Maybe some broadly 
application-specific stuff, such as checking that the message only has 
text elements, no non-parse 'CDATA' bits. Or, that it is smaller than a 
certain size. 
2- Authenticate username/password
3- Application-specific data validation.
This may sound over-elaborate, but I don't think it's too bad. A typical 
environment might have a dedicated web-server (Apache, perhaps) in front 
of an Application Server (WebLogic, perhaps). The 'step 1' above could be 
efficiently done in the Apache, and a category of bad messages blocked 
within the DMZ. The same basic sanity check should work for many or all 
applications. Then again, this step can also be done by many firewall 
products, so may not be worth getting into.

bye,
John M
__________________
John Marmelstein
www.StrongPoint.ie


>"Eoin Keary" <eoinkeary at hotmail.com> wrote:
> Hi,
> Just I'd throw this out so see opinion:
> 
> A webservice:
> Uses HTTPS. The Payload (SOAP) is in the HTTP Header.
> The password and UserId are also in the HTTP header as header 
parameters.
> (We can see the obvious issues here already?!#!?)
> 
> So,
> The service needs a requester to be authenticated.
> So sneding SOAP request (Over HTTPS) to this service gives us "Access 
> Denied" as I put in an incorrect password...ok so far
> Sending a modified request which the XML schema does not like (malformed 
> request for example) gives us a Data validation error....So DV is done > 
before authentication.
> 
> Which should come first in the case of webservices...?
> DV or Auth.
> If DV is first we may be able to do a DoS by sending 1000's of requests, 
> each one needing to be DV'ed. (Webservices are prone to DOS attacks).
> By doing Auth first, we need to DV the userId and password, Authenticate 
and 
> then continue with the DV, which is complex....
> 
> Anyone have any ideas which should be first, the "chicken or the egg"?
> I have my own opinions but what do you good people think?




_________________________________________________________________
eircom broadband is now up to four times faster than before.
Phone 1850 73 00 73 or visit http://home.eircom.net/broadbandoffer




-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you 
shotput
a projector? How fast can you ride your desk chair down the office luge 
track?
If you want to score the big prize, get to know the little guy. 
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
OWASP-Ireland mailing list
OWASP-Ireland at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-ireland



******************************************************************************
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. If you have received this email in error please 
contact the Helpdesk at 3955.
*******************************************************************************








xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of the Allianz Group, Europe's leading global insurer and provider of financial services. 
For more information on our products and services log on to www.allianz.ie or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender and delete the material from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA). 
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-chapters/attachments/20050608/10c09ba2/attachment.html

More information about the Owasp-chapters mailing list