Web Service Security Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at high level.

1. Transport Confidentiality
Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to\from the server.

Rule:All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. For more information see Transport Layer Protection Cheat Sheet

5. Message Integrity
Encryption does guarantee confidentiality but it does not guarantee integrity as the message can be changed en route. In addition, encryption does not ensure the identity of the sender.

Rule - Use XML signatures to ensure message integrity using the sender's private key

7. Authorization
Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to perform a certain action.

RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:


 * Having clients authorize to the web service using username and password
 * Having clients authorize to the web service using client certificates

8. Schema Validation
Schema validation enforces constraints, syntax and semantics defined by the schema.

RULE - Web services must validate SOAP payloads against the web service schema.

9. Content Validation
RULE - Like any web application, web services need to validate input before consuming it. Content validation include:


 * Validation against malformed XML entities
 * Validation against XML Bomb attacks
 * Validating inputs using a strong white list
 * Validating against external entity attacks

10. Output Encoding
Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.

RULE - All the rules of output encoding applies as per XSS (Cross_Site_Scripting) Prevention CheatSheet

11. Virus Protection
SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.

RULE - SOAP messages must be scanned against viruses and malware.

12. Message Size
Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.

RULE - SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DOS attack.