Challenges in Securing ESB Against Web Service Attacks

Introduction

Service-Oriented Architectures and Web Services believed to be the most significant advancement in the software industry in last decade. McKinsey report shows web services (WS) as one of the most important trends in recent web application development process (Dubey et al., 2008). Web services consist of self-describing components that can be used by other application across the web in a platform-independent manner and are supported by standard protocols such as SOAP and WSDL (Curbera et al., 2002). Web services provide a well-defined interface between a provider and a consumer, where the provider offers a set of operations that are used by the consumer. For instance, if two applications want to communicate with each other let’s call these two services are provider and consumer. So the consumer application is going to send a service-request i.e., a message to the provider application. The provider is going to reply back to the consumer with a service response (Figure 1).

Figure 1.

Service oriented architecture

When the request is received by the service provider, it then processed by a service consumer. A Service is a well-defined method, which does not depend on the state of other services. The consumer application needs to know how to invoke this service, for example, what kind of parameters or argument the service is expecting and it needs to know what kind of response the service would be sending back to the consumer. Service Oriented Architecture (SOA) is a solution for making two applications communicating with each other. A human user could interact with an application, when somebody fills out a form in web application it can easily be done that’s because on one side we have a human and on the other side we have a software, but when two applications talk to each other there has to be a well-defined set of rules so there comes SOA into the picture. This implementation can be used in any form, for instance, Web services is an implementation of Service Oriented Architecture (SOA) (Papazoglou, 2008).

The primary trait of web service architecture is that service provider publishes its service description which is placed in a specified directory. All the service providers have to put their service descriptions in that directory. And the consumer software can make queries against this directory to find out what services are available and how to communicate with the provider. Web Services are based on XML Protocols.

Three main elements of web services are:

• 1.

  Web Service Definition Language (WSDL): Is simply a language i.e. used to create service descriptions, so before service descriptions could be placed in a directory; it has to be created in this particular industry excepted language called WSDL. Various functions required to access web services are defined in WSDL along with the parameter information (Gustavo et al., 2004).

• 2.

  Simple Object Access Protocol (SOAP): Is again an industry standard protocol to talk to the directory, so service provider will communicate with the directory using SOAP protocol to send its service description to the directory and consumer will query against these directories using the same protocol as well. SOAP is a key for the development of web service as it permits the communication between two or more programs. Moreover, SOAP is platform independent, flexible and general-purpose XML-based protocol (Gustavo et al., 2004).

• 3.

  Universal Description, Discovery, and Integration (UDDI): Is a specification for publish and place information of Web services. It describes a framework that allows service providers to define and organize their group, services, and the technical details about the namespaces of a Web Service. All these three elements, i.e., WSDL, SOAP, and UDDI are industry standards.