Security researchers have demonstrated a new kind of internet
attack at
RSA Conference 2009 that threatens providers and users of web
services.
That includes users of sites such as Twitter and Facebook that
use web services to share their content and data with other sites,
conference attendees heard in San Francisco.
The "XML bomb" attacks are an emerging class of internet
security attacks that web developers need to be aware of, said
Peter Soderling, founder of
Stratus Security
Technologies and Steve Orrin, Intel director of security
solutions.
These attacks are typically aimed at stealing information for
cyber-crime or taking a web service offline.
Research by Soderling and Orrin with the Center for Advanced
Defense Studies has revealed several attacks that use common
application programming interfaces (APIs).
XML-based APIs, which enable most of the multi-billion dollar
web services industry, are now being used as an attack channel by
cyber-criminals.
Soderling and Orrin highlighted three main forms of "XML bomb"
attacks that have been on the radar for the past few years.
In RSS attacks, cyber-criminals inject attack code into a site's
RSS feed, which is delivered through the API to client machines
requesting information from the site.
"This type of attack is brand new. It has never been seen in the
wild before," Soderling told Computer Weekly.
Cyber-criminals can use this type of attack to execute programs
on an end-user's machine, which is the "holy grail" of information
insecurity, he said.
In a second type of attack, services can be prevented from
responding to requests by creating an XML request that refers to
itself, setting up an endless loop that disables the service.
Attacks have also used a language known as XPath to inject
queries through and API to enable them to view other users' data,
such as account numbers.
According to the Open Security Foundation, 14% of data theft is
now through web services, accounting for $1.2bn dollars in losses
through data leakage in 2008.
"As organisations adopt XML and Web 2.0 services, it is
important they understand the grave risk these new technologies can
pose," said Orrin.
According to Soderling, developers need to understand that
security is "a whole new ball game" when it comes to deploying
APIs.
Developers need to ensure cyber-criminals are not able to
exploit weak API defences to steal data or take the service
offline, he said.
"They need to be trained to write better, safer code that
validates every piece of data that comes into a system," said
Soderling.
Businesses can also add another layer of protection by deploying
API management and security products in front of APIs to reduce the
vulnerabilities, he said.
Defending the decision to go public with the information,
Soderling said it would help the developer community find a way to
solve the problem before it spreads.