News

Web services vulnerable to namespaces

• By Rich Seeley
• October 9, 2002

Namespaces, that arcane but crucial part of the XML standard, are an Achilles' heel that leaves Web services applications vulnerable to hackers, contends Yuval Ben-Itzhak, CTO at KaVaDo, Inc., a New York-based security software provider.

In the lab where Ben-Itzhak and his colleagues sought to replicate how hackers might alter the WSDL definitions to break into a back-end system, namespace manipulation was one of the first vulnerabilities identified.

''What will happen is the namespace will not be the same,'' he explained in a phone interview with XML Report from the KaVaDo lab in Israel. ''It will be the same parameter name, but its reference in the namespace will be different.''

While a mismatched namespace might sound more like a glitch than a security breech, Ben-Itzhak said hackers could exploit it to not only disrupt the Web service application but to possibly bring down a system running behind the firewall. He said hackers typically work to gain information about the inner workings of an enterprise system through a variety of means. Manipulating namespaces, he said, can be a place to start.

''Let's assume that we have a namespace to define a parameter called product,'' he said. ''That namespace product structure is required. So your application would expect a parameter called product to be defined by that namespace. If I send you a request with the same parameter called 'product,' and I reference a different namespace source that defines the parameter structure differently than the one you expect, if your application does not validate that my product is different than your product, and you try to reference my product, that might cause a vulnerability in your code and your application.''

While acknowledging that PKI type encryption and firewalls are important, Ben-Itzhak said they won't stop a hacker who is manipulating the XML to change parameters in the WSDL file. Beyond encryption of the SOAP message sent over the Internet, and beyond the firewall sitting in front of the Web server and the back-office system, he advocates placing a security server to catch any mismatches, accidental or intentional, within the WSDL.

He explained that KaVaDo's security system is designed to intercept the SOAP messages before they go to the Web server. According to Ben-Itzhak, their system will validate the XML against the WSDL the Web services application is expecting and flag any possible manipulations of the XML, namespaces, parameters, function names or message structure. An errant SOAP message would then be rejected before it reached the Web server, he explained. It can also be redirected to an IT professional who could check to see if there was a mistake in the XML or a deliberate hacker attempt at manipulating the file, added Ben-Itzhak.

For more information, click on http://www.kavado.com