| As an implementation of SOA, web services enable the interoperability of distributed heterogeneous platform and the loose coupling of service components. Security is the basis for widely use of web services, including message integrity and confidentiality, access control, authentication and authorization, auditing, etc., this paper focuses on message integrity and service availability.As regards message integrity, this paper studies XML Signature wrapping attacks. An adversary can alter the content of a SOAP message protected by an XML Signature without invalidating the signature, and gain unauthorized access to protected resources.As regards service availability, this paper studies XML DoS attacks. The complexity of XML processing, and the complex cryptographic operations of XML signature and encryption, would cause CPU and memory resources exhaustion.This paper presents some general countermeasures for various forms of attacks, including traditional Schema Validation, Schema Hardening, and Extended Validation for WS-Security enabled SOAP message. This paper also presents a viable detection algorithm for Oversized Signature XDoS attacks. Finally, this paper presents an event-based SOAP message security system model. |
PDF Full Text Request