XML 2007 Conference
Marriott Copley Place
Boston, Massachusetts, USA
3-5 December 2007

Case Notes from a Vulnerability Assessment of a Bank's Web Services

Mark O'Neill (Vordel)
11:00 Tuesday, 2007-12-04
XML in the Enterprise Suffolk
Chair: Norman Walsh (Sun Microsystems, Inc.)

This session describes a systematic vulnerability assessment performed on the Web Services of a bank. The identity of the bank is not revealed.

The tests were performed in the context of compliance with Section 6 of the Payment Card Industry Data Security Standard (PCI-DSS). This stipulates that application code security is reviewed, and also recommends that a shielding solution is placed in front of the applications.

The session starts with a description of the business purpose of the bank’s Web Services. The tests were performed “blind”, so that over the course of the session, we find out about the physical architecture and make-up of the Web Services which are used to deliver the business value to the bank. Some of the information about the banks systems comes from output received from vulnerability probes, such as stack traces.

The taxonomy of tests is described, explaining how they fit into overall vulnerability assessment taxonomies. The battery of security tests is intended to be re-usable by the attendees in their own organization. The tests span XML content attack vectors, XML structural attacks, SOAP attacks, attacks which make use of SOAP attachments, and attacks which make use of REST architecture.

The assessment turned up a number of vulnerabilities. These includes vulnerability to malicious data being “smuggled” inside the XML data by means of covert channel techniques such as assigning data as “CDATA” to avoid parsing. A SQL Injection attack was also discovered. The discovered vulnerabilities are described.

The session also explains how the bank’s attempt to apply preventative security measures, such as SSL and XML Schema validation, actually proved to provide a false sense of security, and in fact introduced a number of security vulnerabilities of their own.

The session ends with recommendations for blocking the vulnerabilities which are discussed. A recommendation is provided to include protection against Web Services security vulnerabilities within the overall security framework, rather than treating Web Services security as an “island”. Following the session, the attendees will be able to assess their own Web Services applications for security, or “ask the right questions” to their organizations developers about the security measures which they are applying in their Web Services applications, including XML, SOAP, and REST style Web Services.

People planning to attend this session also want to see:

Mark O'Neill

Vordel

As Chief Technical Officer at Vordel, Mark oversees the development of Vordel’s technical strategy and product development in the areas of XML and security. Mark is also a member of the OASIS Security Services Technical Committee and an advisor to the XML.org industry newsletter.

He regularly presents at industry seminars on the security issues effecting Web Services and has been published in several leading industry publications including, Web Services Journal, XML Journal, ComputerWeekly (UK) and the Identrus eTrend quarterly. Mark is also the author of the book, “Web Services Security”, published by Osborne-McGrawHill in January 2003, and a contributing author to “Hardening Network Security”, also published by Osborne/McGraw-Hill.

Prior to Vordel, Mark designed and implemented EDI-over-Internet solutions for Ireland’s largest EDI Value-Added Network. He then formed a software development company, developing security solutions for blue-chip clients including Sony Europe, Intel, Royal & SunAlliance, AXA Group, the Irish Government, and Critical Path. Mark holds a double-honors degree in Mathematics and Psychology from Trinity College Dublin and studied neural network modelling at Oxford University.

Some Recent Speaking Engagements Include:

Location: RSA 2006, San Jose Topic: Security for REST Web Services Topic: Ten Web Services Security Case Studies

Location: XML 2005, Atlanta

Location: RSA 2005, San Francisco Topic: Mapping Security to a Service Oriented Architecture

Location: Integration 2004, Paris Topic: Mapping Security to a Service Oriented Architecture

Location: XML 2004, Washington Topic 1: Securing XML – Case Studies from the Financial Services Industry

Topic 2:XML and Web Services Security

Location:CISO Summit 2004, Geneva

Location: Netsec 2004, San Francisco Topic: Creating Watertight Applications Using Web Services

Location: ISS World 2004, Washington Topic: Web Services Securit

Your account


(?)
Use email instead

Premiere sponsor

Microsoft Interoperability

Platinum sponsors

JustSystems
DataDirect
IBM

Gold sponsors

Intel
Antenna House

Produced by

IDEAlliance

Event sponsor

RSuite CMS

Co-hosts

OASIS
Philly XML
XML Guild
Event software by Expectnation