Challenges in Securing ESB Against Web Service Attacks

Challenges in Securing ESB Against Web Service Attacks

Rizwan Ur Rahman (Maulana Azad National Institute of Technology, India), Divya Rishi Sahu (Maulana Azad National Institute of Technology, India) and Deepak Singh Tomar (Maulana Azad National Institute of Technology, India)
DOI: 10.4018/978-1-5225-2157-0.ch006
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Web services and Service oriented architecture are innovative phase of distributed computing, build on top of the distributed computing models. Web services are being used mostly for the integration business components. One of the key concerns in web services and service oriented architecture is implementation of adequate security. Security issues in SOA are still probing and in spite of an increase in web service research and development, many security challenges remain unanswered. This chapter introduces the vulnerabilities, threats associated with web services and addresses WS-Security standards and countermeasures. Web service protocol is designed to provide connectivity. Not any of these standards of web services contain any inbuilt security aspect of their own. Web Services are exposed to attack from common Internet protocols and in addition to new categories of attacks targeting Web Services in particular. Consequently, the aim of this chapter is to provide review of security mechanism in web services.
Chapter Preview
Top

Introduction

Service-Oriented Architectures and Web Services believed to be the most significant advancement in the software industry in last decade. McKinsey report shows web services (WS) as one of the most important trends in recent web application development process (Dubey et al., 2008). Web services consist of self-describing components that can be used by other application across the web in a platform-independent manner and are supported by standard protocols such as SOAP and WSDL (Curbera et al., 2002). Web services provide a well-defined interface between a provider and a consumer, where the provider offers a set of operations that are used by the consumer. For instance, if two applications want to communicate with each other let’s call these two services are provider and consumer. So the consumer application is going to send a service-request i.e., a message to the provider application. The provider is going to reply back to the consumer with a service response (Figure 1).

Figure 1.

Service oriented architecture

When the request is received by the service provider, it then processed by a service consumer. A Service is a well-defined method, which does not depend on the state of other services. The consumer application needs to know how to invoke this service, for example, what kind of parameters or argument the service is expecting and it needs to know what kind of response the service would be sending back to the consumer. Service Oriented Architecture (SOA) is a solution for making two applications communicating with each other. A human user could interact with an application, when somebody fills out a form in web application it can easily be done that’s because on one side we have a human and on the other side we have a software, but when two applications talk to each other there has to be a well-defined set of rules so there comes SOA into the picture. This implementation can be used in any form, for instance, Web services is an implementation of Service Oriented Architecture (SOA) (Papazoglou, 2008).

The primary trait of web service architecture is that service provider publishes its service description which is placed in a specified directory. All the service providers have to put their service descriptions in that directory. And the consumer software can make queries against this directory to find out what services are available and how to communicate with the provider. Web Services are based on XML Protocols.

Three main elements of web services are:

  • 1.

    Web Service Definition Language (WSDL): Is simply a language i.e. used to create service descriptions, so before service descriptions could be placed in a directory; it has to be created in this particular industry excepted language called WSDL. Various functions required to access web services are defined in WSDL along with the parameter information (Gustavo et al., 2004).

  • 2.

    Simple Object Access Protocol (SOAP): Is again an industry standard protocol to talk to the directory, so service provider will communicate with the directory using SOAP protocol to send its service description to the directory and consumer will query against these directories using the same protocol as well. SOAP is a key for the development of web service as it permits the communication between two or more programs. Moreover, SOAP is platform independent, flexible and general-purpose XML-based protocol (Gustavo et al., 2004).

  • 3.

    Universal Description, Discovery, and Integration (UDDI): Is a specification for publish and place information of Web services. It describes a framework that allows service providers to define and organize their group, services, and the technical details about the namespaces of a Web Service. All these three elements, i.e., WSDL, SOAP, and UDDI are industry standards.

Complete Chapter List

Search this Book:
Reset