? Web service Threats

Web Service layer Threat Types: Disclosure Threats, Deception Threats, Disruption Threats, Usurpation Threats.




Service Level:
Vulnerability: WSDL contains the message exchange pattern, types, values, methods, and parameters that are available to the service requester. An hacker may use this information to gain knowledge about the system and to draft attacks against the service.                       
Suggestion:
At the service level, authentication and authorization mechanisms for service requesters may be used to protect WSDL and related service metadata from disclosure threats.                                                                 
Apply necessary SOAP Fault handling / Error handling mechanism while processing security information of the messagges. 




Message Level:
Observation: if Message Protection mechanism are missing.          
Vulnerability: The message could be modified or read by attacker, before it reaches to the destination.   
Suggestions: 
1. Follow common message protection mechanism.                                                     
2. Signatures should be used to verify message origin and integrity.                     
3. Apply encryption to Messages.             
4. Apply necessary Time stamps to messages                                                           
5. Apply necessary  security tokens to the messages
6. Apply measures to ensure message expiry mechanism is in place.   


                                      


Web Service Solution:
Observation: Need to test whether the following is possible in the setup:                                              
1. Coercive Parsing
2. Parameter Tampering
3. Recursive Payloads
4. Oversize Payloads
5. Schema Poisoning
6. WSDL Scanning
7. Routing Detours
8. External Entity Attack
9. SQL Injection
10. Replay Attack
Vulnerability: You are done !