SOAP hack vulnerability

[Sean Machin <s_...@hotmail.com>]

Hi SOAPers,

I am looking at a future project where we will collect data from a remote 
computer using SOAP.  We are concerned about hacking attacks.
If we do not provide a WDSL of the service, and disable the
servicemanagerclient / web interface as has been
previously discussed here, does that mean hackers would be unable
to determine we have a SOAP service running on a particular port?
What do people use in the real world for security when deploying SOAP?

Thanks if anyone can help,
Sean

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Re: SOAP hack vulnerability

[Scott Nichol <sn...@scottnichol.com>]

Scanners can pretty easily find an exposed Apache SOAP implementation if you
use the standard /soap path: a
GET /soap/servlet/rpcrouter will tell them "sorry, I don't understand GET"
or whatever the exact message is.  Of source, mapping to a path other than
/soap will prevent this easy detection.  Even if it is detected, of course,
the hacker would need to guess your method names, parameter names and type,
etc.

A few other considerations:

1. If your firewall does not do anything to abate DOS attacks, you are
susceptible to those.
2. If you know who your valid clients are, you can create filters/proxies on
your firewall.
3. If you are exchanging sensitive information, you may want to use SSL to
get encryption, and/or some kind of authentication, either SSL client
certificates or HTTP basic auth.

Scott Nichol

----- Original Message -----
From: "Sean Machin" <s_...@hotmail.com>
To: <so...@xml.apache.org>
Sent: Friday, August 30, 2002 11:24 AM
Subject: SOAP hack vulnerability


Hi SOAPers,

I am looking at a future project where we will collect data from a remote
computer using SOAP.  We are concerned about hacking attacks.
If we do not provide a WDSL of the service, and disable the
servicemanagerclient / web interface as has been
previously discussed here, does that mean hackers would be unable
to determine we have a SOAP service running on a particular port?
What do people use in the real world for security when deploying SOAP?

Thanks if anyone can help,
Sean

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>




--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

> -----Original Message-----
> From: Steven J. Owens [mailto:puffmail@darksleep.com]
> Sent: Friday, August 30, 2002 10:29 PM
> To: soap-user@xml.apache.org
> Cc: puff@darksleep.com
> Subject: Re: SOAP hack vulnerability
> 
> 
>      I thought the JSSE supported using client certificates, though I
> haven't dug into this much.
> 

Yes, that's true, but what if the SOAP client isn't Java?


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

> -----Original Message-----
> From: Steven J. Owens [mailto:puffmail@darksleep.com]
> Sent: Friday, August 30, 2002 10:29 PM
> To: soap-user@xml.apache.org
> Cc: puff@darksleep.com
> Subject: Re: SOAP hack vulnerability
> 
> 
>      I thought the JSSE supported using client certificates, though I
> haven't dug into this much.
> 

Yes, that's true, but what if the SOAP client isn't Java?

Re: SOAP hack vulnerability

["Steven J. Owens" <pu...@darksleep.com>]

On Fri, Aug 30, 2002 at 10:21:32PM -0400, Anne Thomas Manes wrote:
> You're quite right that you can use the certificate generated by SSL for
> authentication. This is called the Simple Public Key Mechanism (SPKM), which
> I mentioned in my original answer. 

     Whoops, silly me :-).  Sorry for pointing out the obvious.

> SSL makes no provision to support access control, though. You would
> need to implement an authentication mapping mechanism that could map
> the SPKM certificate to a known role within your access control
> system.

     From the context of the message, though, it sounded like he
wasn't looking at a complex situation where he'd need extensive
authorization.  I had the impression he had some sort of remote server
that he needs to hit with a SOAP request to collect information from,
periodically.

> Also -- you can't assume that the client of a Web service uses a
> browser, so you would need to have the SOAP client (or SOAP client
> runtime) obtain the certificate.

     I thought the JSSE supported using client certificates, though I
haven't dug into this much.

     Thanks for the clarification.

Steven J. Owens
puff@darksleep.com

"I'm going to make broad, sweeping generalizations and strong,
 declarative statements, because otherwise I'll be here all night and
 this document will be four times longer and much less fun to read.
 Take it all with a grain of salt." - Me

Re: SOAP hack vulnerability

["Steven J. Owens" <pu...@darksleep.com>]

On Fri, Aug 30, 2002 at 10:21:32PM -0400, Anne Thomas Manes wrote:
> You're quite right that you can use the certificate generated by SSL for
> authentication. This is called the Simple Public Key Mechanism (SPKM), which
> I mentioned in my original answer. 

     Whoops, silly me :-).  Sorry for pointing out the obvious.

> SSL makes no provision to support access control, though. You would
> need to implement an authentication mapping mechanism that could map
> the SPKM certificate to a known role within your access control
> system.

     From the context of the message, though, it sounded like he
wasn't looking at a complex situation where he'd need extensive
authorization.  I had the impression he had some sort of remote server
that he needs to hit with a SOAP request to collect information from,
periodically.

> Also -- you can't assume that the client of a Web service uses a
> browser, so you would need to have the SOAP client (or SOAP client
> runtime) obtain the certificate.

     I thought the JSSE supported using client certificates, though I
haven't dug into this much.

     Thanks for the clarification.

Steven J. Owens
puff@darksleep.com

"I'm going to make broad, sweeping generalizations and strong,
 declarative statements, because otherwise I'll be here all night and
 this document will be four times longer and much less fun to read.
 Take it all with a grain of salt." - Me

--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

Steven,

You're quite right that you can use the certificate generated by SSL for
authentication. This is called the Simple Public Key Mechanism (SPKM), which
I mentioned in my original answer. SSL makes no provision to support access
control, though. You would need to implement an authentication mapping
mechanism that could map the SPKM certificate to a known role within your
access control system. Also -- you can't assume that the client of a Web
service uses a browser, so you would need to have the SOAP client (or SOAP
client runtime) obtain the certificate.

Best regards,
Anne

> -----Original Message-----
> From: Steven J. Owens [mailto:puffmail@darksleep.com]
> Sent: Friday, August 30, 2002 9:34 PM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> On Fri, Aug 30, 2002 at 07:16:12PM -0400, Anne Thomas Manes wrote:
> > SSL provides data integrity and data confidentiality
> protection. It does not
> > necessarily prevent unauthorized users from accessing the
> service. I think
> > Sean is more concerned with access control.
>
>      SSL can be used to provide access control.  There are provisions
> in SSL for generating specific key certificates that a user installs
> in their browser, to access an access-controlled SSL server.  I
> suspect this could be applied to Sean's problem.
>
>      Another possibility Sean might consider is using some form of ssh
> tunneling, which would be quite similar to using SSL.  Depends on where
> he wants to implement the security.
>
> Steven J. Owens
> puff@darksleep.com
>
> "I'm going to make broad, sweeping generalizations and strong,
>  declarative statements, because otherwise I'll be here all night and
>  this document will be four times longer and much less fun to read.
>  Take it all with a grain of salt." - Me
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

Steven,

You're quite right that you can use the certificate generated by SSL for
authentication. This is called the Simple Public Key Mechanism (SPKM), which
I mentioned in my original answer. SSL makes no provision to support access
control, though. You would need to implement an authentication mapping
mechanism that could map the SPKM certificate to a known role within your
access control system. Also -- you can't assume that the client of a Web
service uses a browser, so you would need to have the SOAP client (or SOAP
client runtime) obtain the certificate.

Best regards,
Anne

> -----Original Message-----
> From: Steven J. Owens [mailto:puffmail@darksleep.com]
> Sent: Friday, August 30, 2002 9:34 PM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> On Fri, Aug 30, 2002 at 07:16:12PM -0400, Anne Thomas Manes wrote:
> > SSL provides data integrity and data confidentiality
> protection. It does not
> > necessarily prevent unauthorized users from accessing the
> service. I think
> > Sean is more concerned with access control.
>
>      SSL can be used to provide access control.  There are provisions
> in SSL for generating specific key certificates that a user installs
> in their browser, to access an access-controlled SSL server.  I
> suspect this could be applied to Sean's problem.
>
>      Another possibility Sean might consider is using some form of ssh
> tunneling, which would be quite similar to using SSL.  Depends on where
> he wants to implement the security.
>
> Steven J. Owens
> puff@darksleep.com
>
> "I'm going to make broad, sweeping generalizations and strong,
>  declarative statements, because otherwise I'll be here all night and
>  this document will be four times longer and much less fun to read.
>  Take it all with a grain of salt." - Me
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>

Re: SOAP hack vulnerability

["Steven J. Owens" <pu...@darksleep.com>]

On Fri, Aug 30, 2002 at 07:16:12PM -0400, Anne Thomas Manes wrote:
> SSL provides data integrity and data confidentiality protection. It does not
> necessarily prevent unauthorized users from accessing the service. I think
> Sean is more concerned with access control.

     SSL can be used to provide access control.  There are provisions
in SSL for generating specific key certificates that a user installs
in their browser, to access an access-controlled SSL server.  I
suspect this could be applied to Sean's problem.

     Another possibility Sean might consider is using some form of ssh
tunneling, which would be quite similar to using SSL.  Depends on where
he wants to implement the security. 

Steven J. Owens
puff@darksleep.com

"I'm going to make broad, sweeping generalizations and strong,
 declarative statements, because otherwise I'll be here all night and
 this document will be four times longer and much less fun to read.
 Take it all with a grain of salt." - Me

Re: SOAP hack vulnerability

["Steven J. Owens" <pu...@darksleep.com>]

On Fri, Aug 30, 2002 at 07:16:12PM -0400, Anne Thomas Manes wrote:
> SSL provides data integrity and data confidentiality protection. It does not
> necessarily prevent unauthorized users from accessing the service. I think
> Sean is more concerned with access control.

     SSL can be used to provide access control.  There are provisions
in SSL for generating specific key certificates that a user installs
in their browser, to access an access-controlled SSL server.  I
suspect this could be applied to Sean's problem.

     Another possibility Sean might consider is using some form of ssh
tunneling, which would be quite similar to using SSL.  Depends on where
he wants to implement the security. 

Steven J. Owens
puff@darksleep.com

"I'm going to make broad, sweeping generalizations and strong,
 declarative statements, because otherwise I'll be here all night and
 this document will be four times longer and much less fun to read.
 Take it all with a grain of salt." - Me

--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[DAniel Allen <da...@nist.gov>]

	SSL with client authentication most certainly qualifies as a
	mechanism for identifying who is using your service. How you
	limit access based on this information is server/service
	specific.

	Dan

-----Original Message-----
From: Anne Thomas Manes [mailto:anne@manes.net]
Sent: Friday, August 30, 2002 7:16 PM
To: soap-user@xml.apache.org
Subject: RE: SOAP hack vulnerability


SSL provides data integrity and data confidentiality protection. It does not
necessarily prevent unauthorized users from accessing the service. I think
Sean is more concerned with access control.

I wouldn't rely on lack of available information as my primary enforcement
of access control. If you want to ensure that unauthorized users don't use
your services, then you need to provide a mechanism for users to
authenticate themselves, and then on each call you need to verify that
identity and check to see if he/she is authorized to access the service.

There are many different mechanisms available for authentication, such as
HTTP Basic, HTTP Digest, SPKM, LDAP, and Kerberos. You might accept an
authentication token such as an X.509 certificate, a Kerberos ticket, a SAML
authentication assertion, or an XML signature. You might implement a signon
challenge service, and require all users to sign in before allowing any
access to your service.

You need to determine what authentication mechanism you want to use, then
you need to figure out how to securely relay the authentication information
in your SOAP messages. (It could be passed in the HTTP header, in a cookie,
the SOAP header, the SOAP body, etc.) You probably want to encrypt the
authentication information (SSL will do, or you might want to use XML
encryption).

Finally, you need to intercept all calls coming into your server and check
the authentication against your access control list.

The WS-Security specification being standardized at OASIS
(https://www.oasis-open.org/committees/wss/) defines a standard SOAP
extension that allows you to pass authentication information in a SOAP
header. It also defines how to digitally sign all or part of your SOAP
message, and it specifies how to provide information for finding the
encryption/decryption keys needed to interpret signed data.

For more information on Web services security, please see:
http://www.systinet.com/doc/wasp_jserver/webServicesSecurity/introduction.ht
ml#webServicesSecurity.introduction.secureMessaging

Anne

> -----Original Message-----
> From: Prasad Badkas [mailto:prasadb@mahindrabt.com]
> Sent: Friday, August 30, 2002 11:43 AM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> Sean
>
> Did you tried using SSL ?
>
> Prasad
>
> Sean Machin wrote:
>
> > Hi SOAPers,
> >
> > I am looking at a future project where we will collect data
> from a remote
> > computer using SOAP.  We are concerned about hacking attacks.
> > If we do not provide a WDSL of the service, and disable the
> > servicemanagerclient / web interface as has been
> > previously discussed here, does that mean hackers would be unable
> > to determine we have a SOAP service running on a particular port?
> > What do people use in the real world for security when deploying SOAP?
> >
> > Thanks if anyone can help,
> > Sean
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com
> >
> > --
> > To unsubscribe, e-mail:   <ma...@xml.apache.org>
> > For additional commands, e-mail: <ma...@xml.apache.org>
>
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[DAniel Allen <da...@nist.gov>]

	SSL with client authentication most certainly qualifies as a
	mechanism for identifying who is using your service. How you
	limit access based on this information is server/service
	specific.

	Dan

-----Original Message-----
From: Anne Thomas Manes [mailto:anne@manes.net]
Sent: Friday, August 30, 2002 7:16 PM
To: soap-user@xml.apache.org
Subject: RE: SOAP hack vulnerability


SSL provides data integrity and data confidentiality protection. It does not
necessarily prevent unauthorized users from accessing the service. I think
Sean is more concerned with access control.

I wouldn't rely on lack of available information as my primary enforcement
of access control. If you want to ensure that unauthorized users don't use
your services, then you need to provide a mechanism for users to
authenticate themselves, and then on each call you need to verify that
identity and check to see if he/she is authorized to access the service.

There are many different mechanisms available for authentication, such as
HTTP Basic, HTTP Digest, SPKM, LDAP, and Kerberos. You might accept an
authentication token such as an X.509 certificate, a Kerberos ticket, a SAML
authentication assertion, or an XML signature. You might implement a signon
challenge service, and require all users to sign in before allowing any
access to your service.

You need to determine what authentication mechanism you want to use, then
you need to figure out how to securely relay the authentication information
in your SOAP messages. (It could be passed in the HTTP header, in a cookie,
the SOAP header, the SOAP body, etc.) You probably want to encrypt the
authentication information (SSL will do, or you might want to use XML
encryption).

Finally, you need to intercept all calls coming into your server and check
the authentication against your access control list.

The WS-Security specification being standardized at OASIS
(https://www.oasis-open.org/committees/wss/) defines a standard SOAP
extension that allows you to pass authentication information in a SOAP
header. It also defines how to digitally sign all or part of your SOAP
message, and it specifies how to provide information for finding the
encryption/decryption keys needed to interpret signed data.

For more information on Web services security, please see:
http://www.systinet.com/doc/wasp_jserver/webServicesSecurity/introduction.ht
ml#webServicesSecurity.introduction.secureMessaging

Anne

> -----Original Message-----
> From: Prasad Badkas [mailto:prasadb@mahindrabt.com]
> Sent: Friday, August 30, 2002 11:43 AM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> Sean
>
> Did you tried using SSL ?
>
> Prasad
>
> Sean Machin wrote:
>
> > Hi SOAPers,
> >
> > I am looking at a future project where we will collect data
> from a remote
> > computer using SOAP.  We are concerned about hacking attacks.
> > If we do not provide a WDSL of the service, and disable the
> > servicemanagerclient / web interface as has been
> > previously discussed here, does that mean hackers would be unable
> > to determine we have a SOAP service running on a particular port?
> > What do people use in the real world for security when deploying SOAP?
> >
> > Thanks if anyone can help,
> > Sean
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com
> >
> > --
> > To unsubscribe, e-mail:   <ma...@xml.apache.org>
> > For additional commands, e-mail: <ma...@xml.apache.org>
>
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

SSL provides data integrity and data confidentiality protection. It does not
necessarily prevent unauthorized users from accessing the service. I think
Sean is more concerned with access control.

I wouldn't rely on lack of available information as my primary enforcement
of access control. If you want to ensure that unauthorized users don't use
your services, then you need to provide a mechanism for users to
authenticate themselves, and then on each call you need to verify that
identity and check to see if he/she is authorized to access the service.

There are many different mechanisms available for authentication, such as
HTTP Basic, HTTP Digest, SPKM, LDAP, and Kerberos. You might accept an
authentication token such as an X.509 certificate, a Kerberos ticket, a SAML
authentication assertion, or an XML signature. You might implement a signon
challenge service, and require all users to sign in before allowing any
access to your service.

You need to determine what authentication mechanism you want to use, then
you need to figure out how to securely relay the authentication information
in your SOAP messages. (It could be passed in the HTTP header, in a cookie,
the SOAP header, the SOAP body, etc.) You probably want to encrypt the
authentication information (SSL will do, or you might want to use XML
encryption).

Finally, you need to intercept all calls coming into your server and check
the authentication against your access control list.

The WS-Security specification being standardized at OASIS
(https://www.oasis-open.org/committees/wss/) defines a standard SOAP
extension that allows you to pass authentication information in a SOAP
header. It also defines how to digitally sign all or part of your SOAP
message, and it specifies how to provide information for finding the
encryption/decryption keys needed to interpret signed data.

For more information on Web services security, please see:
http://www.systinet.com/doc/wasp_jserver/webServicesSecurity/introduction.ht
ml#webServicesSecurity.introduction.secureMessaging

Anne

> -----Original Message-----
> From: Prasad Badkas [mailto:prasadb@mahindrabt.com]
> Sent: Friday, August 30, 2002 11:43 AM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> Sean
>
> Did you tried using SSL ?
>
> Prasad
>
> Sean Machin wrote:
>
> > Hi SOAPers,
> >
> > I am looking at a future project where we will collect data
> from a remote
> > computer using SOAP.  We are concerned about hacking attacks.
> > If we do not provide a WDSL of the service, and disable the
> > servicemanagerclient / web interface as has been
> > previously discussed here, does that mean hackers would be unable
> > to determine we have a SOAP service running on a particular port?
> > What do people use in the real world for security when deploying SOAP?
> >
> > Thanks if anyone can help,
> > Sean
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com
> >
> > --
> > To unsubscribe, e-mail:   <ma...@xml.apache.org>
> > For additional commands, e-mail: <ma...@xml.apache.org>
>
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Anne Thomas Manes <an...@manes.net>]

SSL provides data integrity and data confidentiality protection. It does not
necessarily prevent unauthorized users from accessing the service. I think
Sean is more concerned with access control.

I wouldn't rely on lack of available information as my primary enforcement
of access control. If you want to ensure that unauthorized users don't use
your services, then you need to provide a mechanism for users to
authenticate themselves, and then on each call you need to verify that
identity and check to see if he/she is authorized to access the service.

There are many different mechanisms available for authentication, such as
HTTP Basic, HTTP Digest, SPKM, LDAP, and Kerberos. You might accept an
authentication token such as an X.509 certificate, a Kerberos ticket, a SAML
authentication assertion, or an XML signature. You might implement a signon
challenge service, and require all users to sign in before allowing any
access to your service.

You need to determine what authentication mechanism you want to use, then
you need to figure out how to securely relay the authentication information
in your SOAP messages. (It could be passed in the HTTP header, in a cookie,
the SOAP header, the SOAP body, etc.) You probably want to encrypt the
authentication information (SSL will do, or you might want to use XML
encryption).

Finally, you need to intercept all calls coming into your server and check
the authentication against your access control list.

The WS-Security specification being standardized at OASIS
(https://www.oasis-open.org/committees/wss/) defines a standard SOAP
extension that allows you to pass authentication information in a SOAP
header. It also defines how to digitally sign all or part of your SOAP
message, and it specifies how to provide information for finding the
encryption/decryption keys needed to interpret signed data.

For more information on Web services security, please see:
http://www.systinet.com/doc/wasp_jserver/webServicesSecurity/introduction.ht
ml#webServicesSecurity.introduction.secureMessaging

Anne

> -----Original Message-----
> From: Prasad Badkas [mailto:prasadb@mahindrabt.com]
> Sent: Friday, August 30, 2002 11:43 AM
> To: soap-user@xml.apache.org
> Subject: Re: SOAP hack vulnerability
>
>
> Sean
>
> Did you tried using SSL ?
>
> Prasad
>
> Sean Machin wrote:
>
> > Hi SOAPers,
> >
> > I am looking at a future project where we will collect data
> from a remote
> > computer using SOAP.  We are concerned about hacking attacks.
> > If we do not provide a WDSL of the service, and disable the
> > servicemanagerclient / web interface as has been
> > previously discussed here, does that mean hackers would be unable
> > to determine we have a SOAP service running on a particular port?
> > What do people use in the real world for security when deploying SOAP?
> >
> > Thanks if anyone can help,
> > Sean
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com
> >
> > --
> > To unsubscribe, e-mail:   <ma...@xml.apache.org>
> > For additional commands, e-mail: <ma...@xml.apache.org>
>
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>
>

Re: SOAP hack vulnerability

[Prasad Badkas <pr...@mahindrabt.com>]

Sean

Did you tried using SSL ?

Prasad

Sean Machin wrote:

> Hi SOAPers,
>
> I am looking at a future project where we will collect data from a remote
> computer using SOAP.  We are concerned about hacking attacks.
> If we do not provide a WDSL of the service, and disable the
> servicemanagerclient / web interface as has been
> previously discussed here, does that mean hackers would be unable
> to determine we have a SOAP service running on a particular port?
> What do people use in the real world for security when deploying SOAP?
>
> Thanks if anyone can help,
> Sean
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

Re: SOAP hack vulnerability

[Scott Nichol <sn...@scottnichol.com>]

Scanners can pretty easily find an exposed Apache SOAP implementation if you
use the standard /soap path: a
GET /soap/servlet/rpcrouter will tell them "sorry, I don't understand GET"
or whatever the exact message is.  Of source, mapping to a path other than
/soap will prevent this easy detection.  Even if it is detected, of course,
the hacker would need to guess your method names, parameter names and type,
etc.

A few other considerations:

1. If your firewall does not do anything to abate DOS attacks, you are
susceptible to those.
2. If you know who your valid clients are, you can create filters/proxies on
your firewall.
3. If you are exchanging sensitive information, you may want to use SSL to
get encryption, and/or some kind of authentication, either SSL client
certificates or HTTP basic auth.

Scott Nichol

----- Original Message -----
From: "Sean Machin" <s_...@hotmail.com>
To: <so...@xml.apache.org>
Sent: Friday, August 30, 2002 11:24 AM
Subject: SOAP hack vulnerability


Hi SOAPers,

I am looking at a future project where we will collect data from a remote
computer using SOAP.  We are concerned about hacking attacks.
If we do not provide a WDSL of the service, and disable the
servicemanagerclient / web interface as has been
previously discussed here, does that mean hackers would be unable
to determine we have a SOAP service running on a particular port?
What do people use in the real world for security when deploying SOAP?

Thanks if anyone can help,
Sean

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

Re: SOAP hack vulnerability

[Prasad Badkas <pr...@mahindrabt.com>]

Sean

Did you tried using SSL ?

Prasad

Sean Machin wrote:

> Hi SOAPers,
>
> I am looking at a future project where we will collect data from a remote
> computer using SOAP.  We are concerned about hacking attacks.
> If we do not provide a WDSL of the service, and disable the
> servicemanagerclient / web interface as has been
> previously discussed here, does that mean hackers would be unable
> to determine we have a SOAP service running on a particular port?
> What do people use in the real world for security when deploying SOAP?
>
> Thanks if anyone can help,
> Sean
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
> --
> To unsubscribe, e-mail:   <ma...@xml.apache.org>
> For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Erich Izdepski <ei...@cysive.com>]

Hiding something does not provide security. Port scanning software can find
your server process. An ambitious scanner would try various requests against
it to try and get a response which would better identify the type of process
running. For apache, if you execute a 'get' request against it, it will
respond, clearly identifying it as a SOAP server. You will need to change
this in the rpc router servlet.

You can apply varying degrees of access control to your web service. HTTP
basic authentication (weak), and client authentication via digital
certificates (that's what I'd do) are readily available (you can encrypt the
data, too). Only accepting connections from specific IP addresses is pretty
good, too. These schemes do not guarantee you are protected against all
types of attacks. A denial of service attack would still work.

In general, you must identify the risk and look at the cost to protect
against various types of attack. At some point, it is not worth the cost.

Erich Izdepski
Senior Software Engineer
Cysive, Inc.


-----Original Message-----
From: Sean Machin [mailto:s_machin@hotmail.com]
Sent: Friday, August 30, 2002 11:24 AM
To: soap-user@xml.apache.org
Subject: SOAP hack vulnerability


Hi SOAPers,

I am looking at a future project where we will collect data from a remote
computer using SOAP.  We are concerned about hacking attacks.
If we do not provide a WDSL of the service, and disable the
servicemanagerclient / web interface as has been
previously discussed here, does that mean hackers would be unable
to determine we have a SOAP service running on a particular port?
What do people use in the real world for security when deploying SOAP?

Thanks if anyone can help,
Sean

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

RE: SOAP hack vulnerability

[Erich Izdepski <ei...@cysive.com>]

Hiding something does not provide security. Port scanning software can find
your server process. An ambitious scanner would try various requests against
it to try and get a response which would better identify the type of process
running. For apache, if you execute a 'get' request against it, it will
respond, clearly identifying it as a SOAP server. You will need to change
this in the rpc router servlet.

You can apply varying degrees of access control to your web service. HTTP
basic authentication (weak), and client authentication via digital
certificates (that's what I'd do) are readily available (you can encrypt the
data, too). Only accepting connections from specific IP addresses is pretty
good, too. These schemes do not guarantee you are protected against all
types of attacks. A denial of service attack would still work.

In general, you must identify the risk and look at the cost to protect
against various types of attack. At some point, it is not worth the cost.

Erich Izdepski
Senior Software Engineer
Cysive, Inc.


-----Original Message-----
From: Sean Machin [mailto:s_machin@hotmail.com]
Sent: Friday, August 30, 2002 11:24 AM
To: soap-user@xml.apache.org
Subject: SOAP hack vulnerability


Hi SOAPers,

I am looking at a future project where we will collect data from a remote
computer using SOAP.  We are concerned about hacking attacks.
If we do not provide a WDSL of the service, and disable the
servicemanagerclient / web interface as has been
previously discussed here, does that mean hackers would be unable
to determine we have a SOAP service running on a particular port?
What do people use in the real world for security when deploying SOAP?

Thanks if anyone can help,
Sean

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>