Web services vulnerable to namespaces
Namespaces, that arcane but crucial part of the XML standard, are an
Achilles' heel that leaves Web services applications vulnerable to hackers,
contends Yuval Ben-Itzhak, CTO at KaVaDo, Inc., a New York-based security
In the lab where Ben-Itzhak and his colleagues sought to replicate how
hackers might alter the WSDL definitions to break into a back-end system,
namespace manipulation was one of the first vulnerabilities identified.
''What will happen is the namespace will not be the same,'' he explained in a
phone interview with XML Report from the KaVaDo lab in Israel. ''It will be the
same parameter name, but its reference in the namespace will be different.''
While a mismatched namespace might sound more like a glitch than a security
breech, Ben-Itzhak said hackers could exploit it to not only disrupt the Web
service application but to possibly bring down a system running behind the
firewall. He said hackers typically work to gain information about the inner
workings of an enterprise system through a variety of means. Manipulating
namespaces, he said, can be a place to start.
''Let's assume that we have a namespace to define a parameter called product,''
he said. ''That namespace product structure is required. So your application
would expect a parameter called product to be defined by that namespace. If I
send you a request with the same parameter called 'product,' and I reference a
different namespace source that defines the parameter structure differently than
the one you expect, if your application does not validate that my product is
different than your product, and you try to reference my product, that might
cause a vulnerability in your code and your application.''
While acknowledging that PKI type encryption and firewalls are important,
Ben-Itzhak said they won't stop a hacker who is manipulating the XML to change
parameters in the WSDL file. Beyond encryption of the SOAP message sent over the
Internet, and beyond the firewall sitting in front of the Web server and the
back-office system, he advocates placing a security server to catch any
mismatches, accidental or intentional, within the WSDL.
He explained that KaVaDo's security system is designed to intercept the SOAP
messages before they go to the Web server. According to Ben-Itzhak, their system
will validate the XML against the WSDL the Web services application is expecting
and flag any possible manipulations of the XML, namespaces, parameters, function
names or message structure. An errant SOAP message would then be rejected before
it reached the Web server, he explained. It can also be redirected to an IT
professional who could check to see if there was a mistake in the XML or a
deliberate hacker attempt at manipulating the file, added Ben-Itzhak.
For more information, click on http://www.kavado.com
Rich Seeley is Web Editor for Campus Technology.