Difference between revisions of "Web Service Security Cheat Sheet"

From OWASP
Jump to: navigation, search
m
m
Line 3: Line 3:
 
This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at high level.  
 
This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at high level.  
  
== 1. Transport Confidentiality  ==
+
== Transport Confidentiality  ==
  
 
Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to\from the server.  
 
Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to\from the server.  
Line 9: Line 9:
 
'''Rule''':All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. For more information see [[Transport Layer Protection Cheat Sheet]]  
 
'''Rule''':All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. For more information see [[Transport Layer Protection Cheat Sheet]]  
  
== 2. Server Authentication  ==
+
== Server Authentication  ==
  
 
Transport level authentication verifies the identity of the user or the system trying to connect to the service. Usually, transport authentication is a functional of the container of the web service.   
 
Transport level authentication verifies the identity of the user or the system trying to connect to the service. Usually, transport authentication is a functional of the container of the web service.   
Line 17: Line 17:
 
'''Rule '''- Client Certificate Authentication using HTTP over SSL to be used if the client and server need to authenticate each other  
 
'''Rule '''- Client Certificate Authentication using HTTP over SSL to be used if the client and server need to authenticate each other  
  
== 3. Transport Encoding  ==
+
== Transport Encoding  ==
  
 
SOAP encoding styles are meant to move data between software objects into XML format and back again.
 
SOAP encoding styles are meant to move data between software objects into XML format and back again.
Line 23: Line 23:
 
'''Rule''' - Enforce the same encoding style between the client and the server.
 
'''Rule''' - Enforce the same encoding style between the client and the server.
  
== 4. Consumer Authentication  ==
+
== Consumer Authentication  ==
  
 
'''Rule '''- The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection.  
 
'''Rule '''- The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection.  
  
== 5. Message Integrity  ==
+
== Message Integrity  ==
  
 
Encryption does guarantee confidentiality but it does not guarantee integrity as the message can be changed en route. In addition, encryption does not ensure the identity of the sender.<br>  
 
Encryption does guarantee confidentiality but it does not guarantee integrity as the message can be changed en route. In addition, encryption does not ensure the identity of the sender.<br>  
Line 33: Line 33:
 
'''Rule '''- Use XML signatures to ensure message integrity using the sender's private key. Signature can be validated by the recipient using the sender’s digital certificate  
 
'''Rule '''- Use XML signatures to ensure message integrity using the sender's private key. Signature can be validated by the recipient using the sender’s digital certificate  
  
== 6. Message Confidentiality  ==
+
== Message Confidentiality  ==
  
 
Data elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute forcing<br>  
 
Data elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute forcing<br>  
Line 39: Line 39:
 
'''Rule '''- SOAP Messages must be encrypted using a strong encryption cipher.  
 
'''Rule '''- SOAP Messages must be encrypted using a strong encryption cipher.  
  
== 7. Authorization  ==
+
== Authorization  ==
  
 
Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); access the requested data (fine-grained)  
 
Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); access the requested data (fine-grained)  
Line 48: Line 48:
 
*Having clients authorize to the web service using client certificates
 
*Having clients authorize to the web service using client certificates
  
== 8. Schema Validation  ==
+
== Schema Validation  ==
  
 
Schema validation enforces constraints, syntax and semantics defined by the schema.  
 
Schema validation enforces constraints, syntax and semantics defined by the schema.  
Line 54: Line 54:
 
'''RULE '''- Web services must validate SOAP payloads against the web service schema.  
 
'''RULE '''- Web services must validate SOAP payloads against the web service schema.  
  
== 9. Content Validation  ==
+
== Content Validation  ==
  
 
'''RULE '''- Like any web application, web services need to validate input before consuming it. Content validation include:  
 
'''RULE '''- Like any web application, web services need to validate input before consuming it. Content validation include:  
Line 63: Line 63:
 
*Validating against external entity attacks<br>
 
*Validating against external entity attacks<br>
  
== 10. Output Encoding  ==
+
== Output Encoding  ==
  
 
Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.  
 
Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.  
Line 69: Line 69:
 
'''RULE''' - All the rules of output encoding applies as per [[XSS (Cross Site Scripting) Prevention CheatSheet]]  
 
'''RULE''' - All the rules of output encoding applies as per [[XSS (Cross Site Scripting) Prevention CheatSheet]]  
  
== 11. Virus Protection  ==
+
== Virus Protection  ==
  
 
SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.  
 
SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.  
Line 75: Line 75:
 
'''RULE '''- Ensure Virus Scanning technology is regularly updated with the latest virus definitions / rules  
 
'''RULE '''- Ensure Virus Scanning technology is regularly updated with the latest virus definitions / rules  
  
== 12. Message Size  ==
+
== Message Size  ==
  
 
Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.  
 
Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.  
Line 81: Line 81:
 
'''RULE '''- SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DOS attack.  
 
'''RULE '''- SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DOS attack.  
  
== 13. Message Throughput  ==
+
== Message Throughput  ==
  
 
Throughput represents the number of Web Service requests served during a specific amount of time. Obsviously this depends on many factors including the hardware, the containser of the Web Service...etc  
 
Throughput represents the number of Web Service requests served during a specific amount of time. Obsviously this depends on many factors including the hardware, the containser of the Web Service...etc  
Line 87: Line 87:
 
'''RULE '''- Configuration should be optimized for maximum message throughput to avoid running into DoS-like situations  
 
'''RULE '''- Configuration should be optimized for maximum message throughput to avoid running into DoS-like situations  
  
== 14. Endpoint Security Profile  ==
+
== Endpoint Security Profile  ==
  
 
'''RULE''' - Web Services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum.  
 
'''RULE''' - Web Services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum.  
  
== 15. Audit Logging  ==
+
== Audit Logging  ==
  
 
'''RULE - '''Security related activities such as successful and unsuccessful login attempts must be logged into a protected environment.&nbsp;  
 
'''RULE - '''Security related activities such as successful and unsuccessful login attempts must be logged into a protected environment.&nbsp;  
  
== 16. XML Denial of Service Protection  ==
+
== XML Denial of Service Protection  ==
  
 
XML Denial of Service is probably the most serious attack against Web Services. So the Web Service must provide the following validation:  
 
XML Denial of Service is probably the most serious attack against Web Services. So the Web Service must provide the following validation:  
Line 105: Line 105:
 
'''RULE '''- Protection against XML entity expansion  
 
'''RULE '''- Protection against XML entity expansion  
  
== 17. Administration  ==
+
== Administration  ==
  
 
RULE - Ensure access to administration and management functions within the Web Service Application is limited to Web Service administrators  
 
RULE - Ensure access to administration and management functions within the Web Service Application is limited to Web Service administrators  

Revision as of 23:03, 6 October 2011

Contents

Introduction

This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at high level.

Transport Confidentiality

Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to\from the server.

Rule:All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. For more information see Transport Layer Protection Cheat Sheet

Server Authentication

Transport level authentication verifies the identity of the user or the system trying to connect to the service. Usually, transport authentication is a functional of the container of the web service. 

Rule - Basic Authentication has to be conducted using HTTP over SSL 

Rule - Client Certificate Authentication using HTTP over SSL to be used if the client and server need to authenticate each other

Transport Encoding

SOAP encoding styles are meant to move data between software objects into XML format and back again.

Rule - Enforce the same encoding style between the client and the server.

Consumer Authentication

Rule - The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection.

Message Integrity

Encryption does guarantee confidentiality but it does not guarantee integrity as the message can be changed en route. In addition, encryption does not ensure the identity of the sender.

Rule - Use XML signatures to ensure message integrity using the sender's private key. Signature can be validated by the recipient using the sender’s digital certificate

Message Confidentiality

Data elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute forcing

Rule - SOAP Messages must be encrypted using a strong encryption cipher.

Authorization

Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); access the requested data (fine-grained)

RULE - A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:

  • Having clients authorize to the web service using username and password
  • Having clients authorize to the web service using client certificates

Schema Validation

Schema validation enforces constraints, syntax and semantics defined by the schema.

RULE - Web services must validate SOAP payloads against the web service schema.

Content Validation

RULE - Like any web application, web services need to validate input before consuming it. Content validation include:

  • Validation against malformed XML entities
  • Validation against XML Bomb attacks
  • Validating inputs using a strong white list
  • Validating against external entity attacks

Output Encoding

Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.

RULE - All the rules of output encoding applies as per XSS (Cross Site Scripting) Prevention CheatSheet

Virus Protection

SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.

RULE - Ensure Virus Scanning technology is regularly updated with the latest virus definitions / rules

Message Size

Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.

RULE - SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DOS attack.

Message Throughput

Throughput represents the number of Web Service requests served during a specific amount of time. Obsviously this depends on many factors including the hardware, the containser of the Web Service...etc

RULE - Configuration should be optimized for maximum message throughput to avoid running into DoS-like situations

Endpoint Security Profile

RULE - Web Services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum.

Audit Logging

RULE - Security related activities such as successful and unsuccessful login attempts must be logged into a protected environment. 

XML Denial of Service Protection

XML Denial of Service is probably the most serious attack against Web Services. So the Web Service must provide the following validation:

RULE - Validation against recursive payloads

RULE - Validation against oversized payloads

RULE - Protection against XML entity expansion

Administration

RULE - Ensure access to administration and management functions within the Web Service Application is limited to Web Service administrators

Authors and Primary Editors

Gunnar Peterson
Sherif Koussa

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets