This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reviewing Web Services"

From OWASP
Jump to: navigation, search
Line 6: Line 6:
 
Schemas are used to ensure that the XML payload received is within defined and expected limits. They can be specific to a list of known good values or simply define lenght and type. Some XML applications do not have a schema implemented which may mean input validation is perfromed downstream ot even not at all!!
 
Schemas are used to ensure that the XML payload received is within defined and expected limits. They can be specific to a list of known good values or simply define lenght and type. Some XML applications do not have a schema implemented which may mean input validation is perfromed downstream ot even not at all!!
  
Keywords: '''Namespace''': An XML namespace is a collection of XML elements and attributes identified by an Internationalised Resource Identifier (RI). In a single document, elements may exist with the same name that were created by different entities.
+
''Keywords'':  
 +
'''Namespace''': An XML namespace is a collection of XML elements and attributes identified by an Internationalised Resource Identifier (RI). In a single document, elements may exist with the same name that were created by different entities.
 
To distinguish between such different definitions with the same name an XML Schema allows the concept of namespaces to distinguish the definitions. - think Java packages :)
 
To distinguish between such different definitions with the same name an XML Schema allows the concept of namespaces to distinguish the definitions. - think Java packages :)
  

Revision as of 14:22, 26 September 2008

Reviewing Webservices and XML payloads

When reviewing webservices one should focus firstly on the generic security controls related to any application. Webservices also have some uniques controls should be looked at.


XMLL Schema : Input validation

Schemas are used to ensure that the XML payload received is within defined and expected limits. They can be specific to a list of known good values or simply define lenght and type. Some XML applications do not have a schema implemented which may mean input validation is perfromed downstream ot even not at all!!

Keywords:

Namespace: An XML namespace is a collection of XML elements and attributes identified by an Internationalised Resource Identifier (RI). In a single document, elements may exist with the same name that were created by different entities.

To distinguish between such different definitions with the same name an XML Schema allows the concept of namespaces to distinguish the definitions. - think Java packages :)

The schema can specify a finite amount of parameters, the expected parameters in the XML payload alongside the expected types and values of the payload data:

The ProcessContents attribute indicates how XML from other namespaces should be validated. The value for this attribute may be

  • strict: There must be a declaration associated with the namespace and validate the XML.
  • lax There should attempt to validate the XML against its schema.
  • skip There is no attempt to validate the XML.
processContents=skip\lax\skip