This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Services Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 21: Line 21:
 
== Authorization  ==
 
== Authorization  ==
  
Depending on the functionality. A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:  
+
RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:  
  
 
*Having clients authorize to the web service using username and password  
 
*Having clients authorize to the web service using username and password  
Line 28: Line 28:
 
== Schema Validation  ==
 
== Schema Validation  ==
  
Web services must validate SOAP payloads against the web service schema.
+
RULE - Web services must validate SOAP payloads against the web service schema.
  
 
== Content Validation  ==
 
== Content Validation  ==
  
Like any web application, web services need to validate input before consuming it. Content validation include:
+
RULE - Like any web application, web services need to validate input before consuming it. Content validation include:
  
 
*Validation against illformed XML entities
 
*Validation against illformed XML entities
Line 38: Line 38:
 
*Validating inputs using a strong white list
 
*Validating inputs using a strong white list
 
*Validating against external entity attacks
 
*Validating against external entity attacks
*
+
 
  
 
== Output Encoding  ==
 
== Output Encoding  ==
  
Some web service clients use the output directly to render HTML pages either directly or using AJAX objects. All the rules of output encoding applies as per 
+
RULE - Some web service clients use the output directly to render HTML pages either directly or using AJAX objects. All the rules of output encoding applies as per 
  
 
== Virus Protection  ==
 
== Virus Protection  ==

Revision as of 01:05, 5 September 2011

ACTIVE WORK IN PROGRESS AUGUST 2011

Introduction

This article is focused on providing guidance to securing web services and preventing web services related attacks.

Transport Confidentiality

All communication between web services and their clients must be encrypted using

Transport Authentication

Transport Encoding

Message Authentication

Message Integrity

Message Confidentiality

Authorization

RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:

  • Having clients authorize to the web service using username and password
  • Having clients authorize to the web service using client certificates

Schema Validation

RULE - Web services must validate SOAP payloads against the web service schema.

Content Validation

RULE - Like any web application, web services need to validate input before consuming it. Content validation include:

  • Validation against illformed XML entities
  • Validation against XML Bomb attacks
  • Validating inputs using a strong white list
  • Validating against external entity attacks


Output Encoding

RULE - Some web service clients use the output directly to render HTML pages either directly or using AJAX objects. All the rules of output encoding applies as per 

Virus Protection

Message Size

Message Throughput

Identity, key, cert, provisioning

Endpoint Security Profile

Audit Logging

Software Engineering Assurance

XML Denial of Service Protection

Testing

OWASP Cheat Sheets Project Homepage