SOAP (Simple Object Access Protocol) is an XML (extensible markup language)-based messaging protocol for exchanging information among computers.
- SOAP is a
communication protocol designed to communicate via Internet.
- SOAP can
extend HTTP for XML messaging.
- SOAP
provides data transport for Web services.
- SOAP can
exchange complete documents or call a remote procedure.
- SOAP can
be used for broadcasting a message.
- SOAP is
platform- and language-independent.
- SOAP is
the XML way of defining what information is sent and how.
- SOAP
enables client applications to easily connect to remote services and
invoke remote methods.
Although SOAP can be used in a variety of messaging systems and can be delivered
via a variety of transport protocols, the initial focus of SOAP is remote
procedure calls transported via HTTP.
SOAP provides a way to communicate between applications running on
different operating systems, with different technologies and programming
languages.
SOAP is a messaging protocol, meaning that SOAP security is primarily
concerned with preventing unauthorized access to these messages and to users'
information.
SOAP messages are secured through XML digital signature, confidentiality
through XML encryption, and credential propagation through security tokens.
WS (Web Standards) Security is a set of principles that regulate the
confidentiality and authentication procedures for SOAP messaging.
SOAP Message Structure:
Whenever a client application calls a method in the
web service, the web service will automatically generate a SOAP message which
will have the necessary details of the data which will be sent from the web
service to the client application.
A simple SOAP Message has the following elements –
- The
Envelope element
- The
header element and
- The
body element
- The Fault element (Optional)
The SOAP message is nothing but a mere XML document
which has the below components.
- An
Envelope element that identifies the XML document as a SOAP message – is used to encapsulate all the details in
the SOAP message. This is the root element in the SOAP message.
- The
header element can contain information such as authentication credentials
which can be used by the calling application. It can also contain the
definition of complex types which could be used in the SOAP message.
- A
Body element that contains call and response information - the actual data
which needs to be sent between the web service and the calling
application.
- The
Fault element - When a request is made to a SOAP web service, the response
returned can be of either two forms which are a successful response or an
error response. When a success is generated, the response from the server
will always be a SOAP message. But if SOAP faults are generated, they are
returned as “HTTP 500” errors.
Common SOAP Security Risks
There are many different kinds of cyber security vulnerabilities and
attacks, and some are uniquely aimed at APIs. A few of these are code
injections, DoS (Denial of Service), breached or leaked access/authorization,
XSS (Cross-site Scripting) and session hijacking.
Code Injections
Code injections, using SQL or, in the case of SOAP, XML, introduce
malicious code into the database or application itself. The only way to prevent
these is with careful access control.
Breached or Leaked
Access/Authorization
The majority of attacks, including code injections, start with breached
or leaked access. Making sure SOAP messages get revealed only to the correct
user is one important part of SOAP security.
DoS
A Denial of Service, or Distributed Denial of Service (DDoS) attack
overwhelms and disrupts a web service with messages that are too many or too
long. SOAP security includes measures that can make DoS attacks impossible
by limiting the length and volume of messages.
XSS
Cross-site scripting is another form of code injection, but more specifically
it occurs when someone injects malicious browser-side script into the web site
through the web application.
Session Hijacking
Session hijacking is another failure of access control. It occurs when an
unauthorized user obtains a session ID. The user then has full access to the
application and/or another user’s account.
·
Building Secure Web Services
In order to create a secure SOAP web service, you need to add a security
layer through the SOAP header. A security credential to the SOAP header is added.
The username and password as variables added so that each time SOAP message is
generated, these credentials are also generated as part of the header. This
way, whenever the user calls the web service, it requires the password and
username.
The protections that SOAP can offer include regular testing, IAM
(Identity and Access Management), request monitoring, input validation and
redundant security standards.
Regular Testing - Various types of tests can be performed to
ensure that the API will stand up to any possible threats and to find any
vulnerabilities that attackers might exploit. These types of tests include fuzz
testing and injection testing, among others.
The fuzz testing can be used to determine how the API reacts to an
unexpected input. The injection testing can be used to detect
vulnerabilities where a hacker might introduce malicious code.
Identity and Access
Management - It is one
of the most basic and essential aspects of cyber security. It involves
everything from passwords and usernames to advanced authentication techniques.
IAM prevents unauthorized users from accessing the application at the
wrong time or stealing another user’s session token and hijacking the
session.
Request Monitoring - Monitoring requests and SOAP messaging for any abnormalities
is another important part of security.
Request monitoring makes it much more likely to be able to solve
vulnerabilities or data leaks quickly. In order to monitor requests, a logging
system is required that can checked on a regular basis for any
irregularities.
Input Validation - There are two aspects of input validation for SOAP:
Schema compliance validation and SOAP response validation.
Schema compliance validation ensures that the message is in accordance
with XML schema and the WSDL (Web Service Description Language).
SOAP response validation ensues that the response to your message is in
the correct format.
Redundant Security
Standards
WSDL, XML standards and SOAP standards overlap in many places. These
redundant security standards give a level of insurance obtained by few other
systems.
No comments:
Post a Comment