You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Matthew Hannay <ma...@yahoo.com.au> on 2005/12/15 00:10:03 UTC

Cross Site Scripting and database injection via axis web services

I am looking at security issues with our web services
before we go to production.

Has any one got any good tips, suggestions or
references on how to 
prevent cross site scripting through web services,
especially
web services with attachments.

What experiences have people had with mime/dime and
security risks?

I am looking at a filter chain to inspect the soap
message for
malice scripting and sql text

The thing that concerns me is that although we are
using 
basic authentication over ssh, and only open up our
firewalls
to trusted clients, I cannot be sure that our clients
databases
have not injected with scripting whic then finds it's
way into
the web service soap contents and then into our data
base.

Am I being overly paranoid or are these valid
concerns?

Would the filters be somthing usefull to contrubute
back 
to the axis project and have as a configurable item,
that axis
users could turn on and extend upon if they wish?

Matt


Send instant messages to your online friends http://au.messenger.yahoo.com

Re: Cross Site Scripting and database injection via axis web services

Posted by Matthew Hannay <ma...@yahoo.com.au>.

Note where I said ssh I meant SSL!!
--- Matthew Hannay <ma...@yahoo.com.au> wrote:

> I am looking at security issues with our web
> services
> before we go to production.
> 
> Has any one got any good tips, suggestions or
> references on how to 
> prevent cross site scripting through web services,
> especially
> web services with attachments.
> 
> What experiences have people had with mime/dime and
> security risks?
> 
> I am looking at a filter chain to inspect the soap
> message for
> malice scripting and sql text
> 
> The thing that concerns me is that although we are
> using 
> basic authentication over ssh, and only open up our
> firewalls
> to trusted clients, I cannot be sure that our
> clients
> databases
> have not injected with scripting whic then finds
> it's
> way into
> the web service soap contents and then into our data
> base.
> 
> Am I being overly paranoid or are these valid
> concerns?
> 
> Would the filters be somthing usefull to contrubute
> back 
> to the axis project and have as a configurable item,
> that axis
> users could turn on and extend upon if they wish?
> 
> Matt
> 
> 
> Send instant messages to your online friends
> http://au.messenger.yahoo.com 
> 


Send instant messages to your online friends http://au.messenger.yahoo.com