November 20, 2003

SOAP Data Injection Attacks

SPI has released a paper on attacking web services using SOAP, showing how to use injection techniques to taint workflow and attack weak implementations.

I have never liked SOAP (mostly because of its complexity wrapped up in XML) and papers like this show how data injection techniques are just as easy with SOAP envelopes as they are with traditional techniques.

Happy reading!

Posted by SilverStr at November 20, 2003 08:33 PM | TrackBack
Comments

I like that somebody is actually taking the time to try and get around SOAP. But, what they are describing is really no different then that other article you linked to about using CGI GET/POST argument tainting techniques to inject things into SQL.

Fortunately, the SOAP system I use does automatic parameter binding into the SQL... so some l33t haxor can put strange characters in the string field to his heart's content, and get no where.

About a year ago we rewrote a telnet server as a cgi-script that consumed a web server. But, performance was so bad, that we just rewrote it to use straight DBI. When running under mod_perl (on Apache2 for win32) it's lightening fast.

Web Services has tons of benefits, but it definetly has a higher level of complexity and overhead. So the key is knowing when to use it (system integration, middleware, etc) and not so much for straight application development.

I've got some thoughts and links about SOAP Security at: http://www.nyetwork.org/wiki/SOAPSecurity

Posted by: Wim at November 21, 2003 12:24 AM