This is my second post on “scary web services”. The first one was focused on how web services
can be daunting to testers. My intent
with this post is to offer a view from the defensive, on why those who host web
services in their company should find them “scary”, by outlining a few of the more common
vulnerabilities with them.
information found in web services. Web services
have grown to be very common for core business functions, especially those that
might be used across several different applications. A prime example is that of retrieving and
updating customer data. This type of
functionality is something that often makes sense to put into a web service so that
all the different applications that might need to can access it in a standard,
access some of your most sensitive data, and that the web service must go through proper authentication and authorization controls to access said
data. Why is it, then, that the web
service itself may be any less protected? Poor or non-existent authentication controls
are probably the number one problem with web services. One excuse I have heard on a number of
occasions: “well that’s only available internally and you would have to know
how to find it.” The level of
protection should be relative to the type of data on the other end, not how
well hidden you think it is.
lack of monitoring. I don’t understand
the logic behind not monitoring a web service – especially one with access to
critical data or functions. Since
account lockouts tend to be impractical for such web services, detective
controls may be the only reasonable defense against dictionary or brute force
encryption. Although you may not be too concerned
about a man-in-the middle attack on your internal network, you may be required
to encrypt the data in transit if it falls under any regulatory requirements
such as those related to PCI or HIPAA.
This has sometimes fallen into a gray area in the past but that probably
won’t be the case in the future.
your own web services. They may access
some of your core data or functions without proper authentication and they may
not be monitored to detect an ongoing attack.
And if you are in an industry that’s under regulatory scrutiny, your web
services may be required to use encryption. If you are running web service then make sure you do not fall trap to these three common problems.
you are in need of a penetration test or other security consulting services you
can contact him at firstname.lastname@example.org or visit the Secure
Ideas – Professionally Evil site for services provided.