This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Web Services Cheat Sheet"
(→Schema Validation) |
(→Output Encoding) |
||
Line 46: | Line 46: | ||
== Output Encoding == | == Output Encoding == | ||
− | + | Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects. | |
+ | |||
+ | '''RULE''' - All the rules of output encoding applies as per [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Cross-Site Prevention Cheat Sheet] | ||
== Virus Protection == | == Virus Protection == |
Revision as of 03:44, 5 September 2011
- 1 ACTIVE WORK IN PROGRESS AUGUST 2011
- 2 Introduction
- 2.1 Transport Confidentiality
- 2.2 Transport Authentication
- 2.3 Transport Encoding
- 2.4 Message Authentication
- 2.5 Message Integrity
- 2.6 Message Confidentiality
- 2.7 Authorization
- 2.8 Schema Validation
- 2.9 Content Validation
- 2.10 Output Encoding
- 2.11 Virus Protection
- 2.12 Message Size
- 2.13 Message Throughput
- 2.14 Identity, key, cert, provisioning
- 2.15 Endpoint Security Profile
- 2.16 Audit Logging
- 2.17 Software Engineering Assurance
- 2.18 XML Denial of Service Protection
- 2.19 Testing
ACTIVE WORK IN PROGRESS AUGUST 2011
Introduction
This article is focused on providing guidance to securing web services and preventing web services related attacks.
Transport Confidentiality
All communication between web services and their clients must be encrypted using
Transport Authentication
Transport Encoding
Message Authentication
Message Integrity
Message Confidentiality
Authorization
Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to perform a certain action.
RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:
- Having clients authorize to the web service using username and password
- Having clients authorize to the web service using client certificates
Schema Validation
Schema validation enforces constraints, syntax and semantics defined by the schema.
RULE - Web services must validate SOAP payloads against the web service schema.
Content Validation
RULE - Like any web application, web services need to validate input before consuming it. Content validation include:
- Validation against illformed XML entities
- Validation against XML Bomb attacks
- Validating inputs using a strong white list
- Validating against external entity attacks
Output Encoding
Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.
RULE - All the rules of output encoding applies as per Cross-Site Prevention Cheat Sheet
Virus Protection
SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.
RULE - SOAP messages must be scanned against viruses and malware.
Message Size
Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.
RULE - SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DOS attack.
Message Throughput
Identity, key, cert, provisioning
Endpoint Security Profile
Audit Logging
Software Engineering Assurance
XML Denial of Service Protection
Testing
OWASP Cheat Sheets Project Homepage