CPE4004-01-2007-10 -WebServicesCriticalView

8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView

1/33

4/12/2006Lecture 9- Web Services, SOAP,

security 1

CPE4004 Lecture 9Web Services, SOAP, Security

What we have now? Web site web appsSOAP

JAX-WS

XML-Object mappingSecurity


2/33


security 2

Web application vs Web site

Web site Static content No business logic Mostly dealing with

presentation issues

Web application: modelling

focus is on capturing businessdynamics Implements business logic Changes the state of the

business objects Needs clear separation of

endpoint implementation frompresentation Dynamic content is delivered

Methodology to develop webapps: Relationship Management

Methodology is often used Aims at reducing development

and maintenance cost of suchsites with intensive DB driven

processing over the Internet Always think about security

Web service is not a webapplication or web site It uses web components to

manipulate views on data Security is important Carefully design

Service interface Interaction - conversation Endpoint


3/33


security 3

UML provides stereotypes

Client side of a web page With some JavaScript or scriplets HTML formatted document This is a class with additional dynamic behaviour Use stereoptype to model client page

Boundary class rendered by a browser

HTML form Class stereotyped as a

Collection of input fields that are part of a client page

Relationships: link, build (page), redirect, forward, etc. Server side of a web page

The behaviour of server side page is different than the client side page It is a class too

It is created by some server programs servlets Dynamic content

Use stereoptype to model it -


4/33


security 4

Web Service revisited

Web Service is its Contract. In this contract we define:

the name, and otherproperties of the service,

the operationsit supports,and

the messagesaccepted andsent by the operations.

Together with the Bindingof the service, this makes an Endpoint,

i.e. something we can pointa client at.

For SOAP services, thecontract is defined in aWSDL definition: It refers to a XSD schema

that defines the messagesof the operations.

The most common way tocreate a WSDL document isto generate it by the SOAPstack. This is called contract-last

development

you start with the WSDLand schema, and createserver-side stubs afterwards contract-firstdevelopment


5/33


security 5

Web Service characteristics

Components and platforms Based on XML documents passed between the client and

server Mapped to programs (java classes), objects or databases XML document is passed to the other application as a

message Format of this message is defined by some standard Message must be validated against some business rules (e.g. in

xsd)

Web service is exposed as an interface and provides Gateway to the back-end application which is running some DB

Different platforms for implementation Different mechanism and vendors

JAXB, JAXP, JAX-WS, AXIS instant WS etc.


6/33


security 6

Java SOAP stack

JAX-RPC and SOAP A valid SOAP Message is a well-formed XML document It defines a set of rules to be used for simple one-way messaging but

is particularly useful for Remote Procedure Call) request-responsedialogues.

it is not tied to any particular operating system or the clients andservers or any language as long as they can formulate and understandSOAP

It is an important building block for developing distributed applicationsthat uses web services over an intranet or the internet.


7/33


security 7

SOAP in Action

The SOAP developer's approach tosuch a problem is to encapsulateservice in a method in C or VB orJava etc, then set up a process thatlistens for requests to the service; such requests are in SOAP format contain the request for service and

parameters. TempPhoneNo can be repeated

we do not know how many of themare stored

What about just to call storedprocedure on a DB? Complex data cannot be used as

parameters or returns from storedprocedures

We cannot use JDBC since we donot know how many TempPhoneNorecords exist.

//WS call:

String[] getEmployeeDetails ( int

employeeNum);

//Return message contains:

EmployeeDetails {String empName;

String phoneNO;

String TempPhoneNO;}

//where there can be many of these

TempPhoneNo {

int startDate;

int endDate;

String phoneNO;

}


8/33


security 8

SOAPservlet


9/33


security 9

Request

1016577

SOAP message syntax: valid SOAP Message is well-formed XML documentComposed of the following elements:

XML declarationSOAP Envelope

SOAP HeaderSOAP Body

Service name

Method tag

Parameter tag


10/33

4/12/2006 Lecture 9- Web Services, SOAP,security

10

Response

My name

+1-212-7370194

Array structure


11/33

4/12/2006 Lecture 9- Web Services, SOAP,security

11

//nested alternate temp phone numbers are added in this message:

//-----------------------------------------------------------------------------

Bill XXXXXX

+1-212-7370194

37060

37064

+1-515-2887505

37074

37078

+1-516-2890033

3708837092

+1-212-7376609


12/33

4/12/2006 Lecture 9- Web Services, SOAP,security 12

Validation and namespaces

Validation: Message is received in

the serialized form

There is no validationperformed: How many times theTemporaryPhoneNumb

er has been encoded.

Extra code has to bewritten to validate the

number of repetitions The validation will

consume time andmemory security hole

Namespaces Each node in XML message can

be attached to the namespace


13/33


Binding XML elements to javaclasses

Java inheritance We can change some

existing semantics withinheritance and the

subclass would allow to Add methods

Add attributes

Java derives new typesby extending thecapabilities of parentclasses

In xsd schema:


14/33


Mapping XML names to Javaidentifiers

Not all XML names canbe used as Javaidentifiers:

XML names can use even

., or String

This is not allowed inJava

We need to perform non-

trivial mapping toaccommodate thegreater range of XMLnames

Package names areoften derived from thenamespace URL

The problem:

With each new version ofJava these mappingsmust be revisited

Possible changes made

to the validation andidentifiers mappings


15/33


Restrictions on values -example

There is no simple mapping into Java classes


16/33


Enumerations

1) The value should not be a reserved word - null2) Java 5 generates a set of identifiers, one for each value in

enumeration set showing the position in the set. Therefore, thevalue identifiers are lost. The code has to be written to detectany changes in position and value identifiers


17/33


Unportable types

Some java types are unportable java.util.Hashtable

Some type may have different meaning

in other languages: java.util.Calender

Could be interpreted in .NET as date/time

Should be sent as xsd:dateTime What happens if client and server are in

different time zone?


18/33


Serializing objects

XML is hierarchical datastructure Typically trees or lists

Java classes may form

cyclic graph ofreferences

Mapping into XMLrequires the cycle to be

recognized and treatedaccordingly by themapper


19/33


Fault processing

The Web Service protocols implies that the application is making calls across

network boundaries. As such, you must be prepared to handle any network-related errors that occur. As the Web Service interface is based on a Java remote interface,

any client code must catch and handle java.rmi.RemoteException. ARemoteException will be generated in response to any unhandled runtime exceptions that

occur. Such exceptions are mapped to SOAP fault elements that are included in the body of theresponse from the server.

Domain exception refer to for example, InvalidProductCodeException Should appear on your Web Service remote interfaces. These exceptions are defined in the service WSDL as fault elements. Such fault elements are marshaled back to the client in the SOAP message that forms

the response from the server. For a Java client, the exception will be regenerated in its original form and rethrown. A Java exception is a complex type, so the JAX-RPC runtime must be able to marshal

and unmarshal at least some of its contents (such as its message). Therefore,exceptions must conform to certain rules to be successfully passed. These rules aresimilar to those for JavaBeans and are defined in section 5 of the JAX-RPCspecification (JSR101).


20/33


Fault processing

soap:MustUnderstand

Mandatory Header error

http://www.wrox.com/heroes/endpoint.asp

endpoint.asp

203


21/33


SOAP Fault message structure

faultcode element VersionMismatch this value

indicates that the namespace of theSOAP Envelope element was nothttp://schemas.xmlsoap.org/soap/envelope/.

MustUnderstand this value isreturned in a faultcode element

when the endpoint encounters amandatory Header element entrythat it does not recognize.

Client this value should be usedin the faultcode element when aproblem is found in the messagethat was received.

Server in contrast to the Clientfault code, Server indicates that aproblem occurred during processingthat was not directly related to thecontent of the message.

An example of this type of faultwould be that the database used bythe endpoint to return information is

down.

faultstring element contains a string value that briefly

describes the fault that occurred in a waythat would make sense if it were displayedto the user in an error dialog. That is notto suggest that it could not be technical innature.

faultactor element where the error occurred

This is especially true in systems thatinvolve SOAP intermediaries. If a messagemust pass through a dozen endpointsbefore it can reach its final destination forpayload processing, the developer needsto know at what point on the messagerouting chain an error occurred.

The faultactor element is a placeholder forthat type of information. The faultactor

element contains a URI that identifies theendpoint where the fault originated.

detail element additional information relevant to the fault


22/33


Fault processing JAX-RPC.

In the SOAP Web services a fault flows from the server to the client in the form of SOAP fault. A SOAP fault consists of

faultcode,

faultstring, and

optional fault actor and detail.

The JAX-RPC specification defines various rules about how to map from a Javaexception to a SOAP fault (server side) and from the SOAP fault back to theJava exception (client side). There are four types of exceptions that can be thrown from the server:

java.rmi.RemoteException

java.lang.RuntimeException

javax.xml.rpc.soap.SOAPFaultException (a special, subclass of RuntimeException)

a checked, user-defined exception (mapped from the WSDL's wsdl:fault construct)

Client side: java.rmi.RemoteException

javax.xml.rpc.soap.SOAPFaultException

a checked, user-defined exception


23/33


24/33


security 24

SOAPFaultException

SpecialRuntimeException

:javax.xml.rpc.soap.SOAPFaultException. SOAPFaultException is more descriptive than aRuntimeException and dictates the exact SOAPfault message which flows to the client. It means that whoever throws this fault, whether the

runtime or the application, controls the SOAP fault response. Therefore, how to map the SOAP fault to an appropriate

exception really depends on the content ofSOAPFaultException, it may be mapped toSOAPFaultException, RemoteException or even achecked user exception.

SOAPFaultException is often used by JAX-RPC handlers. AJAX-RPC application itself normally should avoid throwing theSOAPFaultException.


25/33


security 25

RuntimeException

When a problem occurs in a server-side JAX-RPCruntime which results in a RuntimeException (for example, NullPointerException),

that exception will propagate back to the client, but it will do so as a SOAP fault.

The client runtime will map SOAP fault to either RemoteException or

SOAPFaultException.

Therefore, a service endpoint should not throw a

RuntimeException expecting the client to always catchthat RuntimeException because the client may receive aRemoteException instead.


26/33


security 26

WSDL Fault message

this message is referenced by wsdl:fault only a single message part is allowed

it could refer to a simple type or a complex type.

If the part element has a type attribute, we could tell

simple (for example, xsd:int, xsd:string, etc.) or

complex.

If the part element has an element attribute, then youhave to step to the element to see whether the type is

simple or complex. This type of mapping is more complex should be handled

during the analysis


27/33


security 27

Transfer of large files andportability

The problems withlarge files Multithreading can keep

GUI responsive However, progress bar

would be difficult to codein multithreadedenvironment

Portability It is known after thedeployment

No warnings are issuedprior deployment - eg.IDL compile errors (thereis no IDL)

The classes often arechanged, the changesmay not be reflected inWSDL Then the service may

perform differentfunctions than the clientexpects


28/33


security 28

Security problems

WS are said to behackers paradise

Characteristics ofthreats:

Actor

Source of attack

Input

XML documents Output

Componentattacked


29/33


security 29

XML/SOAP manipulation

Coercive parsing Refers to a number of xsd schemas, They often point to some

repositories XML messages can be made too

difficult to parse, parsing consumestoo much of memory and timeDos

Malicious mobile code can beinserted

Blind XPath injection attack Allows to query an XML document string(//user[name/text()=

jjj andpaasword/text()=hhh]/acco

unt/text()) If(account=={not found}

Else{{all fine}

Inject user name as 1=1 or =

You get the first accountnumber

Jumbo payloads

DoS Recursive elements in the XML doc also Entity expansion attacks

Recursive entity declarations in XML docheader and the rest of the documentsrefers to them

DoS

Long element names DoS

XML flood many messages per/sec Entities are referring to the file

system Reference is expanded during processing

open door to access repositories

Parameter tempering Instructions on how to use parameters are

in WSDL Attacker can try to use special characters

to extract information Attacker can embed command line that

creates a command shell and executes


30/33


security 30

XML/SOAP manipulation cont.

Schema poisoning xsd schema provides the

information of how to process theXML docs

Schema can be compromised oreven replaced in its location

The location can be read from theSOAP message

WSDL scanning It allows the attacker to guess other

unexposed methods Exposed method: getQuote() Hidden method: tradeStock()

Dictionary attacks Guessing a password, user name

Replay attack Repetitive SOAP message requests

are used to overload the service From TCP/IP header you can read

IP addresses They are not detected since they

come from the valid IP and are wellformed

SQL injections SQL contains native separators or

pipes: ; is one, then you can attach

commands to execute repetitivelynative stored procedures or otherSQL commands

Message snooping Use SOAP routing header to access

internal Web services See next page


31/33


security 31

SOAP routing header

Routing is a process of delivering messages through a series ofnodes or intermediaries. Each intermediary not only provides a message delivery channel,

but may also provide value-added services such as logging,auditing and validations.

Routing is an essential part of distributed computing, and will play

an important rule in multi-party message exchanges. WS_Routing is a protocol that defines how SOAP messages

can be delivered using various transports. Routing information is carried from one intermediary to another

inside the SOAP header element. WS_Routing , thus, can beunderstood as an extension to SOAP.


32/33


security 32

http://services.xmethods.net:80/soap/servlet/rpcrouter

3cf74010-e395-11d5-a2d9-00a0246e4ce3

http://www.whitemesa.net/interop/std/multihop

http://www.4s4c.com/services/log.ashx

http://soapclient.com/SoapRouter

SOAP Header example


33/33


security 33

What can we do aboutsecurity of WS?

Caller authentication

XML signature recommendation fromW3C

XML Encryption Applying new standards

SAML Security Assertion MarkupLanguage

Best practices in coding and lowlevel security: SSL and VPN Implement XML filtering

Rules for message size, content, variables

Mask internal resources Network Address Translation (NAT) Use XML proxy to rewrite URL Check frequency of connections for

consumers

Validate all messages Well-formed and use validating parser-

Sign all messages Timestamp all messages Use encryption for message fields

XML attacks:

Watch for integrated xlink and otherpointers to URLs in the application

Session theft Session ID is generated and listening to

unencrypted conversation could hijack asession

DoS attacks Authenticate long requests

Use watchdog thread to track longexecution times

Disguise the type of service (e.g Axis)

Do not show wsdl file use e-mail to send it to the consumer

With servlets Use filters to filter long files,

validate IP, Check caller credentials

CPE4004-01-2007-10 -WebServicesCriticalView

Documents

Transcript of CPE4004-01-2007-10 -WebServicesCriticalView