Researcher: Security risks in Web services largely ignored
AJAX, XML could be exploited by hackers, Stamos warns
IDG News Service - VANCOUVER, British Columbia -- In their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, a security researcher said yesterday.
During a presentation at the CanSecWest/core06 conference, researcher Alex Stamos outlined how a number of Web services technologies, including AJAX and the XQuery query language, could be exploited by hackers to dig up secret information and attack systems.
Web services is a catch-all expression used to describe a form of distributed computing that uses standards based on XML to simplify the job of programming software. One of its key tenets is that Web services applications are extremely portable and can easily interact with different types of software.
While this cross-platform capability can simplify programming, it can also create security risks by creating situations that may not have been anticipated by software developers, said Stamos, a founding partner of Information Security Partners LLC in San Francisco. During his talk, he described an attack whereby a user could enter malicious code into a Web form and then get that code to run by calling up the company's customer service number and tricking a representative into inadvertently executing it.
Stamos also showed how Web services requests could be used to conduct denial-of-service attacks, either by creating malicious XML queries that use massive amounts of memory or by bombarding databases applications with more requests than they can handle.
Web application vendors have created tools that work like "magic," hiding complexity and making it easy to create Web services. Unfortunately, these tools also make it easy for their users to ignore the security implications of the software they're building, Stamos said.
"Because of all that magic pixie dust, the people who write Web services don't necessarily understand how they work," he said. "We have a lot of customers who are hanging unbelievably crazy functionality ... just out on the Internet."
And hackers are catching on. Last month, security vendor Symantec Corp. issued its biannual Internet Security Threat report, noting that Web applications represent an increasingly attractive target for attackers. Of all vulnerabilities disclosed in the past six months of 2005, nearly 70% were associated with Web applications, Symantec said.
The trend is of particular concern to smaller companies that may not have the budgets to fully test the security of their software. But Stamos said that Web application vendors could help by adding input filtering capabilities to their products to make them better able to tell when their software is being asked to do something that it shouldn't.
Security researchers also should be paying more attention to the issue, Stamos said. "We want to get more security people looking at Web services stuff," he said. "Web application security is the red-headed stepchild of the security industry."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.