RSA 2009: Security researchers demo new web services attacks

Security researchers have demonstrated a new kind of internet attack at RSA Conference 2009 that threatens providers and users of web services.

Security researchers have demonstrated a new kind of internet attack at RSA Conference 2009 that threatens providers and users of web services.

That includes users of sites such as Twitter and Facebook that use web services to share their content and data with other sites, conference attendees heard in San Francisco.

The "XML bomb" attacks are an emerging class of internet security attacks that web developers need to be aware of, said Peter Soderling, founder of Stratus Security Technologies and Steve Orrin, Intel director of security solutions.

These attacks are typically aimed at stealing information for cyber-crime or taking a web service offline.

Research by Soderling and Orrin with the Center for Advanced Defense Studies has revealed several attacks that use common application programming interfaces (APIs).

XML-based APIs, which enable most of the multi-billion dollar web services industry, are now being used as an attack channel by cyber-criminals.

Soderling and Orrin highlighted three main forms of "XML bomb" attacks that have been on the radar for the past few years.

In RSS attacks, cyber-criminals inject attack code into a site's RSS feed, which is delivered through the API to client machines requesting information from the site.

"This type of attack is brand new. It has never been seen in the wild before," Soderling told Computer Weekly.

Cyber-criminals can use this type of attack to execute programs on an end-user's machine, which is the "holy grail" of information insecurity, he said.

In a second type of attack, services can be prevented from responding to requests by creating an XML request that refers to itself, setting up an endless loop that disables the service.

Attacks have also used a language known as XPath to inject queries through and API to enable them to view other users' data, such as account numbers.

According to the Open Security Foundation, 14% of data theft is now through web services, accounting for $1.2bn dollars in losses through data leakage in 2008.

"As organisations adopt XML and Web 2.0 services, it is important they understand the grave risk these new technologies can pose," said Orrin.

According to Soderling, developers need to understand that security is "a whole new ball game" when it comes to deploying APIs.

Developers need to ensure cyber-criminals are not able to exploit weak API defences to steal data or take the service offline, he said.

"They need to be trained to write better, safer code that validates every piece of data that comes into a system," said Soderling.

Businesses can also add another layer of protection by deploying API management and security products in front of APIs to reduce the vulnerabilities, he said.

Defending the decision to go public with the information, Soderling said it would help the developer community find a way to solve the problem before it spreads.

Read more on IT risk management