In the modern electronic business world, services offered to business partners as well as to customers have become an important company asset. This again produces interests for attacking those services either to paralyze the availability or to gain unauthorized access. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. This chapter presents a survey of different types of such Web Service specific attacks. For each attack a description of the attack execution, the effect on the target and partly the results of practical experiments are given. Additionally, general countermeasures for fending Web Service attacks are shown.
TopIntroduction
The rising adoption of service-orientation both in industry and academia also triggered a hype on its most prominent realization technique: the Web Services technology (Weerawarana, Curbera, Leymann, Storey, & Ferguson, 2005). Nevertheless, as with all distributed software systems, a wide spread of a particular technology also attracts individuals and organizations that try to exploit such systems for their personal benefits. Thus, in order to cope with such general security threats, every particular technology needs a specialized, appropriate security concept in order to fend attacks and mitigate security-related business risks.
For the particular case of Web Services, a large number of security-related specifications have been released by the leading standardization organizations, each targeting a special aspect of Web Services security. These specifications cover confidentiality and message integrity issues (Nadalin, Kaler, Monzillo, & Hallam-Baker, 2006), access control and authorization for Web Service invocations (Moses, 2005), reliability for guaranteed message delivery (Ferris & Langworthy, 2005), trust establishment between cooperating organizations (Nadalin, Goodner, Gudgin, & Barbir, 2007; Nadalin & Kaler, 2006) and a lot more.
Nevertheless, the field of security for Web Services includes a lot more issues than what is currently addressed by the existing standards. As an example, the number, types and impact capabilities of known attacks on Web Services raised by far during the last years (Lindstrom, 2004). Apart from general threats like malicious Internet Service Provider employees or hijacked SOAP intermediate hosts, some very skilled, Web-Service-specific attacks have been discovered.
In this chapter, we provide a survey on some of the most severe attack types disclosed yet (cf. Table 1). We give detailed descriptions on the concepts behind the attacks, discuss their potential impact in a real-world SOA, and in the end, a brief summary on appropriate countermeasures is also presented.
Table 1. A list of attacks covered in this chapter
| Oversize Payload | Instantiation Flooding |
| Coercive Parsing | Signature Wrapping |
| Attack Obfuscation | XML Injection |
| Flooding Attacks | WS-Addressing Spoofing |
| State Deviation | Metadata Spoofing |