Threats and Vulnerability in Service Oriented Architecture
Threats and Vulnerability in Service Oriented Architecture
Threats and Vulnerability in Service Oriented Architecture
Abstract
Service Oriented Architecture (SOA) is a new way of operating a network system, and as with
all new technologies, SOA is affected by several security vulnerabilities, thus affecting the speed
of its deployment in organization. Additionally, to implement access control it must be first
defined somewhere, and the rest of the system needs to be aware of the rules and respect them. .
In this report, Researcher describe some of the security threats and vulnerability faced by SOA
systems.
1
Available at http://searchmicroservices.techtarget.com/definition /service-oriented-architecture- SOA accessed on
05:35pm 14Aug17
accessed remotely and acted upon and updated independently, such as retrieving a credit card
statement online.2
Data Tampering Data tampering occurs when an attacker changes or modifies legitimate data
with illegal data, while it passes over the network.
Replay Attacks The Web service provider establishes sessions in communication with the
service requester as a Web service application request and response. The attacker can capture the
browsing session display message or insert a false command.
2
Available at http://www.secc.org.eg/recocape/Documents/SECC_Tutorials_A%20Quick%20Introduction% 20to%
20SOA.pdf 06:00pm 14Aug17
3
Available at http://www.javaworld.com/article/2071889/soa/what-is-service-oriented-architecture.html 6:15pm
14Aug17
4
Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-
thieves and hackers trying to gain access to users' systems
5
A back door is a means of access to a computer program that bypasses security mechanisms
6
Available at http://www.springer.com/978-3-540-87741-7 3:00pm 12Aug17
7
Available at http://research.ijcaonline.org/volume120/number4/pxc3903929 3:45pm 12Aug17
2
Man-in-the-middle Attacks A person intercepts both the client and server communications and
then acts as an intermediary between the two without each ever knowing.
Schema Poisoning Schema poisoning is the ability to manipulate a schema either by replacing
or modifying it to compromise the programs that process documents that use this schema.
Possible attacks are denial of service attacks by modifying the schema so that it does not contain
required information for subsequent processing.8
WSDL Scanning A WSDL document contains information such as the list of web-methods, the
parameters for those methods, and types of I/O. Lindstrom points out that through scanning the
WSDL document an attacker may reveal sensitive information like types, messages, operations,
port types, bindings, and guess other methods.
Parameter Tampering According to Lindstrom, the attackers manipulate the parameters for
obtaining unauthorized information. If so, the attacker can inject the malicious code into the
XML parameter. A parameter is the purpose of tampering attacks to modify the standards sent
between the user and the application.
XML Wrapping If the attackers successfully get the WSDL file, they may exploit XML
wrapping to bypass authentication. XML wrapping works more or less in the same way as SQL
injection. Because of the message send by user is in XML format, all the input data will be
wrapped into XML tags, called elements.
8
Available at https://capec.mitre.org/data/definitions/146.html 12:30am 13Aug17
9
An interpreter translates high-level instructions into an intermediate form, which it then executes.
10
The Web Services Description Language is an XML-based interface definition language that is used for
describing the functionality offered by a web service
3
3.6 Overflow Attacks
Buffer Overflow Attacks When performing a buffer overflow attack, an attacker put a larger
amount of data than expected into program variable. The amount of memory, reserved for the
operation becomes smaller than the amount of data written to the memory.
Denial-of-Service (DoS) Attack Denial of service (DoS) is the process of making a system or
application unavailable. An attacker tries to prevent legitimate users from accessing a service by
flooding the service with thousands of request or we can say that DoS attack might be
accomplished by bombarding a server with requests to consume all available system resources.11
4. Vulnerabilities
Vulnerability is a weakness that can be used to cause the system to be defective, which can
eventually lead to some loss or damage. However, all vulnerability cannot be exploited. SOA is a
type of middleware. It is affecting the hardware affected by classical security vulnerabilities,
operating systems, and in turn software created using any operating system. SOA is also affected
by Web application vulnerabilities because it is usually built on top of web protocols.12
11
Available at searchsecurity.techtarget.com › Denial of service 1:30am 13Aug17
12
Available at https://us.norton.com/online-threats/microsoftwindowsuddiservicescve-2015-2475crosssitescrip-
76259-vulnerability.html 2:30am 13AUG17
4
4.1 Classical Vulnerabilities
Classical security vulnerabilities are those that can be exploited without using more recent Web
technologies.
Cross-site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.14
Cross Site Request Forgery (CSRF) CSRF attacks are the opposite of the XSS attacks. Cross-
Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email,
blog, instant message, or program causes a user’s web browser to perform an unwanted action on
a trusted site for which the user is currently authenticated. The impact of a successful CSRF
attack is limited to the capabilities exposed by the vulnerable application.
Security misconfiguration If a Web site’s security is not configured correctly, an attacker may
exploit such a vulnerability to gain unauthorized access.
13
Available at www.dtic.mil/get-tr-doc/pdf?AD=ADA576267 1:00pm 13Aug17
14
Available at https://www.owasp.org 11:00am 15Aug17
5
Metadata spoofing An attacker may modify Web service-related metadata such as a WSDL
statement or associated WS-Security policy. For instance, the Web service’s endpoint may be
modified for the attacker to establish a man-in-the-middle attack for eavesdropping or even
worse modification of Web service data. In order to mitigate such attacks service consumers
must carefully verify the authenticity of Web service metadata.
Metadata spoofing Metadata spoofing described earlier (for Web services) is also applicable to
the business processes. For instance, an attacker may modify a business process’s endpoint
references in its BPEL statement. Mitigation strategies similar to those for the metadata spoofing
attack described above for the Web services layer may be applied.
BPEL state deviation A BPEL engine may have many process instances running at the same
time and communication endpoints open at all times to receive incoming messages. An attacker
can flood an engine on those endpoints with many BPEL messages that conform to the schema
but have no meaningful content. The computational resources of the BPEL engine quickly
become exhausted if such an attack happens. In order to mitigate such attacks, as few
computational resources as possible should be used to reject such invalid messages.
15
Business Process Execution Language (BPEL) defines a notation for specifying business process behavior based
on Web Services
16
Available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465.4469&rep=rep1&type 12:15pm
15Aug17
6
4.6 HTTP Header Manipulation
HTTP header consists of control information that is passed between the client and server. The
attacker can write his/her own program to manipulate the HTTP headers by handling requests
which results the target service is attacked.
There is a need for integrated architecture which can provide robust protection against a
complete spectrum of threats.
6. References
http://www.secc.org.eg/recocape/Documents/SECC_Tutorials_A%20Quick%20Introduct
ion%20to%20SOA.pdf
https://msdn.microsoft.com/en-gb/library/ff648318.aspx
http://ieeexplore.ieee.org/document/6320751/?part=1
https://www.owasp.org
www.csonline.com
liris.cnrs.fr/.../Y-Badr-Challenges-of-Security-Risks-in-Service-Oriented%20Architect