Securities Perspective in ESB-Like XML-Based Attacks: Interface Abstraction, Data Privacy, and Integrity

Securities Perspective in ESB-Like XML-Based Attacks: Interface Abstraction, Data Privacy, and Integrity

Ayush Gupta (SISA, India) and Ravinder Verma (Protiviti, India)
DOI: 10.4018/978-1-5225-2157-0.ch007
OnDemand PDF Download:
No Current Special Offers


In today's world where technology drastically changing and we supposed to believe that layer 7 protocol HTTP(s) is sufficient from the security perspective. But it's not, malicious user or hackers are so prudent in their attacks that most of the breaches occurs at layer 7 i.e. HTTP/HTTPS. And XML based attacks either of XML parser attack, XML generator attack or XXE Denial of service attack etc. are all comes in the first place of OWASP TOP 10 vulnerability. HTTPS connection is not sufficient enough to stop masqueraders or attackers, as XML injection or XSS attack doesn't care about the encryption of data as it deals with the scripts mainly. ESB where considered as pluggable device where all the existing systems or IT infrastructure devices can be exposed to new applications and cut the time and cost by implementing this. But data travels on the bus is always be preferred on XML and here it's all security & privacy issues comes into picture and the same has been highlighted in this chapter throughout.
Chapter Preview


ESB where considered as a service oriented infrastructure component which actually helps services to interact via messages and events. But now a days’ paradigm has been changed and the SOA which helps in providing B2B services and cutting cost effectively is no more reliable with traditional ESB. Because XML attacks/injection is not only a factor while using ESB but data privacy & integration is also a major concern. Protection of internal applications is one of them while interfaces are exposed to external parties in B2B/server to server communication and henceforth data privacy & integrity can’t be maintained most of the times. Interface abstraction was not as powerful to encapsulate the message among layers due to the emerging XML based attacks where you IP based firewalling is not enough instead the application interaction using the service interfaces like XML, JSON, SOAP and REST API etc.

One of the best solution is to use SOA Gateways instead of traditional ESB where not only it protects from new threats like XML based but also provides endpoint abstraction plus message and field level data integrity and privacy as well. The only thing while deploying the SOA gateways is vendor implementations for example custom code shall not be allowed to add to your XML gateway just like we don’t add any custom code at network packet firewall. And the only IBM DataPower (2016) and Forum Sentry are the products who don’t permit code to be injected or dropped at XML gateways while CISCO ACE Gateway (Cisco, n.d.) does. So choosing the appropriate protocol with appropriate format to deliver the message to the target destination is one of the crux to keep in mind for SOA Gateway Vendor implementations (SOA Expressways, n.d.). But it doesn’t mean that we exclude the idiosyncrasies or security features of SOA gateway which ultimately once configured correctly will guaranteed the best security in the environment. There is believe that SOA gateway can be worked and considered as half of Web Application Firewall as it allows to configure the policies and ACL.

So this is not just limited with the limitations and security aspect in ESB. There is much more detailed and descriptive information has been required to depth look into to actually know how the new threats actually like XML attacks intercept the request and response and do the malicious tasks as per they like. XXE based attack, Injection & generator attack are just one of the kind. How in depth privacy comes into the picture and how actually it evades at deep web network? How & what kind of privacy laws and security certifications (ex. FIPS 140-2 gold standard) can provide security assessment? Why traditional approach of ESB was not sufficient enough to protect the data in message? What kind of OWASP TOP 10 vulnerabilities comes into the play, what are their severity score to hamper the business and what could be the mitigations? What Keys, Encryption/Signature policies can be utilized to secure at XML gateway?

Complete Chapter List

Search this Book: