In their hurry to implement web services, some companies
may be exposing themselves to new security risks that they may not
fully understand, according to a US security
researcher.
During a presentation at the CanSecWest/core06 conference in
Vancouver, researcher Alex Stamos explained how a number of web
services technologies, including the XQuery query language, could
be exploited by hackers to dig up secret information and attack
systems.
Web services describes a form of distributed computing that uses
standards based on XML to simplify programming software, based on
the idea that web services applications are extremely portable and
can interact with different types of software.
Stamos described an attack whereby a user could enter malicious
code into a web form and get that code to run by calling up the
company's customer service number and tricking a representative
into inadvertently executing it.
Web services requests can be used to conduct denial of service
attacks, either by creating malicious XML queries that use massive
amounts of memory or by bombarding databases applications with more
requests than they can handle.
Web application suppliers have created tools that hide
complexity, making it easy to create web services. Unfortunately,
the tools also make it easy for their users to ignore the security
implications of the software they're building.
Web services security has largely been brushed over in the rush
to adopt the technology, but there is a little doubt that holes are
there to be exploited – and it’s probably only a matter of time
before they are.