|
|
| (10 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | = ACTIVE WORK IN PROGRESS AUGUST 2011 =
| + | Moved to [[Web Service Security Cheat Sheet]]. |
| − | | |
| − | = Introduction =
| |
| − | | |
| − | This article is focused on providing guidance to securing web services and preventing web services related attacks.
| |
| − | | |
| − | == Transport Confidentiality ==
| |
| − | | |
| − | All communication between web services and their clients must be encrypted using
| |
| − | | |
| − | == Transport Authentication ==
| |
| − | | |
| − | == Transport Encoding ==
| |
| − | | |
| − | == Message Authentication ==
| |
| − | | |
| − | == Message Integrity ==
| |
| − | | |
| − | == Message Confidentiality ==
| |
| − | | |
| − | == Authorization ==
| |
| − | | |
| − | RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:
| |
| − | | |
| − | *Having clients authorize to the web service using username and password
| |
| − | *Having clients authorize to the web service using client certificates
| |
| − | | |
| − | == Schema Validation ==
| |
| − | | |
| − | RULE - Web services must validate SOAP payloads against the web service schema.
| |
| − | | |
| − | == Content Validation ==
| |
| − | | |
| − | RULE - Like any web application, web services need to validate input before consuming it. Content validation include:
| |
| − | | |
| − | *Validation against illformed XML entities
| |
| − | *Validation against XML Bomb attacks
| |
| − | *Validating inputs using a strong white list
| |
| − | *Validating against external entity attacks
| |
| − | | |
| − | | |
| − | == Output Encoding ==
| |
| − | | |
| − | RULE - Some web service clients use the output directly to render HTML pages either directly or using AJAX objects. All the rules of output encoding applies as per
| |
| − | | |
| − | == Virus Protection ==
| |
| − | | |
| − | == Message Size ==
| |
| − | | |
| − | == Message Throughput ==
| |
| − | | |
| − | == Identity, key, cert, provisioning ==
| |
| − | | |
| − | == Endpoint Security Profile ==
| |
| − | | |
| − | == Audit Logging ==
| |
| − | | |
| − | == Software Engineering Assurance ==
| |
| − | | |
| − | == XML Denial of Service Protection ==
| |
| − | | |
| − | == Testing ==
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
