Web Services Cheat Sheet

= ACTIVE WORK IN PROGRESS AUGUST 2011 =

= Introduction =

This article is focused on providing guidance to securing web services and preventing web services related attacks.

Transport Confidentiality
All communication between web services and their clients must be encrypted using

Authorization
RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:


 * Having clients authorize to the web service using username and password
 * Having clients authorize to the web service using client certificates

Schema Validation
RULE - Web services must validate SOAP payloads against the web service schema.

Content Validation
RULE - Like any web application, web services need to validate input before consuming it. Content validation include:


 * Validation against illformed XML entities
 * Validation against XML Bomb attacks
 * Validating inputs using a strong white list
 * Validating against external entity attacks

Output Encoding
RULE - Some web service clients use the output directly to render HTML pages either directly or using AJAX objects. All the rules of output encoding applies as per