Web Services Vulnerabilities, Attacks and Defences
I'm now back in London after my talk and live demonstration at last night's well-attended OWASP Belgium chapter meeting.
There's a good review of the evening added very promptly by Xavier Mertens (@xme) on his blog. Josh Corman (@joshcorman) provided an unexpected extra presentation towards the end of the evening where he discussed the ideas and manifesto of the rugged software initiative. I'll come back to that at a later date, but for now would like to mention the excellent talk given by Andreas Falkenberg on web services security.
He provided a carefully structured walk-through of web services technology and SOAP security features before introducing us to the idea of signature wrapping attacks, and how they might be used to exploit public web services. He also described recommended countermeasures. I won't go into the detail here, but Andreas has a paper available if you contact him. However, I did want to mention WS-Attacks.org which is a nascent project to provide information about vulnerabilities and attacks against web service standards and implementations. Many of these are unique to web services, and are in addition to the more widely-known web vulnerabilities that affect "normal" web applications.
This is a fantastic resource, and needs greater visibility amongst those responsible for designing and implementing web services.
Posted on: 17 June 2011 at 10:33 hrs
Comments are filtered automatically and should appear shortly after they been checked.