SOAP (Simple Object Access Protocol) is an XML (extensible markup language)-based messaging protocol for exchanging information among computers.
- SOAP is a communication protocol designed to communicate via Internet.
- SOAP can extend HTTP for XML messaging.
- SOAP provides data transport for Web services.
- SOAP canexchange complete documents or call a remote procedure.
- SOAP can be used for broadcasting a message.
- SOAP is platform- and language-independent.
- SOAP is the XML way of defining what information is sent and how.
- SOAP enables client applications to easily connect to remote services and invoke remote methods.
Although SOAP can be used in a variety of messaging systems and can be delivered via a variety of transport protocols, the initial focus of SOAP is remote procedure calls transported via HTTP.
SOAP provides a way to communicate between applications running on different operating systems, with different technologies and programming languages.
SOAP is a messaging protocol, meaning that SOAP security is primarily concerned with preventing unauthorized access to these messages and to users' information.
SOAP messages are secured through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
WS (Web Standards) Security is a set of principles that regulate the confidentiality and authentication procedures for SOAP messaging.
SOAP Message Structure:
Whenever a client application calls a method in the web service, the web service will automatically generate a SOAP message which will have the necessary details of the data which will be sent from the web service to the client application.
A simple SOAP Message has the following elements –
- The Envelope element
- The header element and
- The body element
- The Fault element (Optional)
The SOAP message is nothing but a mere XML document which has the below components.
- An Envelope element that identifies the XML document as a SOAP message – is used to encapsulate all the details in the SOAP message. This is the root element in the SOAP message.
- The header element can contain information such as authentication credentials which can be used by the calling application. It can also contain the definition of complex types which could be used in the SOAP message.
- A Body element that contains call and response information - the actual data which needs to be sent between the web service and the calling application.
- The Fault element - When a request is made to a SOAP web service, the response returned can be of either two forms which are a successful response or an error response. When a success is generated, the response from the server will always be a SOAP message. But if SOAP faults are enerated, they are returned as “HTTP 500” errors.
Common SOAP Security Risks
There are many different kinds of cyber security vulnerabilities and attacks, and some are uniquely aimed at APIs. A few of these are code injections, DoS (Denial of Service), breached or leaked access/authorization, XSS (Cross-site Scripting) and session hijacking.
Code Injections
Code injections, using SQL or, in the case of SOAP, XML, introduce malicious code into the database or application itself. The only way to prevent these is with careful access control.
Breached or Leaked Access/Authorization
The majority of attacks, including code injections, start with breached or leaked access. Making sure SOAP messages get revealed only to the correct user is one important part of SOAP security.
DoS
A Denial of Service, or Distributed Denial of Service (DDoS) attack overwhelms and disrupts a web service with messages that are too many or too long. SOAP security includes measures that can make DoS attacks impossible by limiting the length and volume of messages.
XSS
Cross-site scripting is another form of code injection, but more specifically it occurs when someone injects malicious browser-side script into the web site through the web application.
Session Hijacking
Session hijacking is another failure of access control. It occurs when an unauthorized user obtains a session ID. The user then has full access to the application and/or another user’s account.
· Building Secure Web Services
In order to create a secure SOAP web service, you need to add a security layer through the SOAP header. A security credential to the SOAP header is added. The username and password as variables added so that each time SOAP message is generated, these credentials are also generated as part of the header. This way, whenever the user calls the web service, it requires the password and username.
The protections that SOAP can offer include regular testing, IAM (Identity and Access Management), request monitoring, input validation and redundant security standards.
Regular Testing - Various types of tests can be performed to ensure that the API will stand up to any possible threats and to find any vulnerabilities that attackers might exploit. These types of tests include fuzz testing and injection testing, among others.
The fuzz testing can be used to determine how the API reacts to an unexpected input. The injection testing can be used to detect vulnerabilities where a hacker might introduce malicious code.
Identity and Access Management - It is oneof the most basic and essential aspects of cyber security. It involves everything from passwords and usernames to advanced authentication techniques.
IAM prevents unauthorized users from accessing the application at the wrong time or stealing another user’s session token and hijacking the session.
Request Monitoring - Monitoring requests and SOAP messaging for any abnormalities is another important part of security.
Request monitoring makes it much more likely to be able to solve vulnerabilities or data leaks quickly. In order to monitor requests, a logging system is required that can checked on a regular basis for any
irregularities.
Input Validation - There are two aspects of input validation for SOAP: Schema compliance validation and SOAP response validation.
Schema compliance validation ensures that the message is in accordance with XML schema and the WSDL (Web Service Description Language).
SOAP response validation ensues that the response to your message is in the correct format.
Redundant Security Standards
WSDL, XML standards and SOAP standards overlap in many places. These redundant security standards give a level of insurance obtained by few other systems.
0 comments:
Post a Comment