Web Services Design Security Considerations
I. Information Gathering
- WSDL Retrieval: Identify web method call mechanics
- SOAP Error Messages
- Web Method Enumeration: Identify methods not published in the WSDL.
- Identify mishandling of numerical fields, character strings, Base64 data handling, etc.
- Identify SQL Injection/XPATH Injection Vulnerabilities
- XML input data is validated based on an agreed schema.
- If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.
- Determine whether the logging mechanism is vulnerable to arbitrary entry creation via carriage return and line feed injection.
- Assess the possibility of inserting HTML tags into a HTML based log.
- Assess the possibility of inserting XML elements and/or attributes into an XML based log.
- Determine the logging mechanism’s susceptibility to white space injection.
- Assess the ability of the web service to log messages that contain special separator characters.
- Assess the handling of log data after reaching the upper log size limit.
- Assess the web service’s susceptibility to LDAP injection.
III. Authentication and Authorization
- Web services that support restricted operations or provide sensitive data require and support authentication.
- Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.
IV. Sensitive Data
- Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)
- Identify the encryption cipher used in the application.
- Determine the items within web service communications that are encrypted.
- Determine the items within web service communications that are protected by message integrity checks.
V. Exception Handling
- SOAP Exceptions are thrown and returned to the client using the standard
- If application-level exception handling is required a custom SOAP extension is used.
- The Web service logs transactions and key operations.
- The URL Behavior property of the Web reference is set to dynamic for added flexibility.
- The endpoint address in Web Services Description Language (WSDL) is checked for validity.
- Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
- The Web service runs using a least-privileged process account.
- Debugging and Tracing are disabled.
- Identify directory traversal vulnerabilities.
- Assess the level of information disclosure from temporary files.