Slashdot Mirror
SOAP Security Problems
LarryWest42 writes: "This article lists a number of sobering security problems with SOAP (not only the avoidable one of tunneling through HTTP). I found it thanks to Bruce Schneier's latest Crypto-Gram newsletter."
← Back to Stories (view on slashdot.org)
Geeks are afraid of bathing, and thus want soap, shampoo, and other normal cleaning implements to look bad. This is just a pathetic attempt to justify their unconscionable stench. Just take a bath already!
There was an article on SOAP security in the MSDN recently where they advocated turning off the HTTP-Get and HTTP-Post protocols for production web services and rely on SOAP instead. It hardly seems like enough. Now every developer is going to have to be responsible for ensuring their web-services can only accpet valid parameters, and can only be accessed by those who should be able to access them. I can see that security for web-services as being a key issue for developers in the near future. I know my local MSDN users group is getting a discussion from a technical evangelist from M$ on this topic very soon.
For those of you like me that have no clue what REST is (REpresentatational State Transer) here's a decent wiki page I found on it.
Everyone who even pretends to be able to knock up websites, hack PHP and CGI scripts etc should be familar with REST; it's one of the core concepts behind the web.
The REST Wiki is a good place to start.
Besides security, we quit using Soap for our web services and use our own custom libs which we provide to clients because the performance is horrendous. When you're providing a web service API to thousands of clients, that becoms an issue quite quickly. Sure XML is platform neutral/agnostic, but is the parsing performance hit you take really worth it?
~mark
Someone asks you to pick up the bar of soap off of the shower floor. You bend over to pick it up... BAM!... your security is breached.
This has been a known issue amongst the prison vendors for years... None of them have done anything about it yet, though.
While I appreciate SOAP is a great technology, and its impact will be huge, It did always puzzle me why everyone kept insisting on cramming it all through port 80. The justification that it would go through existing firewalls never really washed (sorry...) with me. Is there really such a problem with assigning a new protocol? I mean, if a company are going to expose web services, then a firewall config change isn't really going to cause too much hassle in the grand scheme of things. my $0.02
That man tried to kill mah Daddy
It seems the author is trying to proffer REST, a putatively alternative approach to the use of the existing web infrastructure as little more than a transport for messages to be interpreted by the endpoints, like SOAP does, and I think that is the motivation for the FUD article mentioned in this slashdot story. To me that article does not seem to say much besides that the existing web architecture cannot be used to satisfy the additional security demands created by application level web services interaction protocols like SOAP. I do not see that as a "SOAP security problem".
It seems the author is trying to proffer REST [xml.com], a putatively alternative approach
.the existing web architecture cannot be used to satisfy the additional security demands created by application level web services interaction protocols like SOAP. I do not see that as a "SOAP security problem"
What's putative about it? REST says, for example, that every method has its own URI, while SOAP bundles a service's methods together under one URI.
. .
The article's complaint is that, not only is existing web architecture incompatible with SOAP, but there don't seem to be guidelines for developing secure SOAP apps - developers are left to their own devices. The amount of trouble people have with existing, well-understood approaches to networked services (such as those that fall under REST) suggests that expecting application developers to come up with good solutions on their own is risky.
It's true that SOAP-over-HTTP is intended to pass through most current corporate firewall configurations. However, the creators of SOAP deliberately included a SOAPAction header so that firewall admins will still be able to filter out undesirable SOAP requests.
See http://www.w3.org/TR/soap12-part2/#soapaction
-- Brian
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
I think SOAP will be useful, and hope that open source developer will support it. Inhouse database application developers like me will find COBRA too hard. :) So using VB + COM is a very trival solution for 3 tier stuff. If open source tools support SOAP, there is finally a choice other than MS. :) It maybe used in a few applications, but won't be a great impact on internet. However, it does provide a high level aspect for dummy programmer like us. :)
Actually, I think it will be more useful in internal network other than internet. Other than the security problem, I can't see a hugh demand on sharing information in such a way. Commerical entity tends to provide the presentation together with the data.
Well,
/getHistoricalStockQuotes?MSFT says to a security person: "okay, it's a GET. Barring tunnelling or a bug, it can't
:-)
.... back to the top of that article:
I forgot what FUD measn(only remember its something EVIL).
The article says something true: SOAP has no build in features for security.
But it is designed to be exactly like that!
My problem with the article at: http://www.prescod.net/rest/security.html is: it has simply to many false statements.
e.g. SOAP subverts HTTP's addressing model by hiding all of the data objects behind a component end-point interface.
This statement is simply silly: its up to you how many end-points you define. If you make one per method or one per component or any mixture is your descission.
A endpoint is basicly only a URI and the SOAP server has to cope with it and knows how the end-point is configured.
The SOAP server, long before the application, descides if a SAOP request can be routed to a specific end-point. What do you think why a end-point publishes its interface?
As a trivial example, GET
modify the server. Probably returning some kind of report for historical stock quotes. If there is tunnelling or a bug it isn't my fault. We'll fire
the programmer."
When he sees getHistoricalStockQuotes("MSFT") he says: "Hmmm. Probably returns stock quote. But can I be sure it doesn't modify
anything on the server? Maybe it's creating a new object that can be queried about different quote dates. If so, who is allowed to create
these objects? When are the destroyed? Can a malicious hacker leak them until the server runs out of memory? I better go read the
documentation for this thing because what it does isn't obvious at first glance. Maybe i better go find the programmer to make sure I
understand it."
Of course the two are equally simple: they both return a report. But one is very explicit about a promise not to modify server state. The other
is not.
This above is from the article.
Well, I only understand it so far that this is bullshit
What does the author like to say with that?
A HTTP GET request may modify the server?
Ah ha.
So a RPC or DCOM or CORBA request does *NOT* modify the server, or does guarantee it does not so?
Also: HOW, the heck should a SOAP service be able to create an other active object on the server and expose it via an external referable URI?
This is the sillist claim I've ever seen.
Consider this: how is a web server able to expose a new URI/URL to the external world for refferencing?
Get an idea? For SOAP the same restrictions apply.
Ah
SOAP uses a standard HTTP
POST method when it should use an extension method.
Wrong. SOAP can use the standard HTTP POST method and its up to the SOAP server if it accepts it or not.
The standard encaurages that applications using SOAP use the HTTP extension framework (M-POST).
After rereading that artice several times now, I'm getting tiered about the shallow level of EVERYTHING mentioned in it. As he mentiones Microsoft I asume he is mainly unhappy with their implementation or integration into Visual Basic.
Probably he should have a look on soap4j and the Appache/Tomcat SOAP extensions.
I realy would like to know WHAT the security isues with SOAP are.
Of course: the idea to tunnel SOAP through a firewall subverts the intention of a fierwall.
But the security problems are elsewhere.
A firewall easyly can say: oops thats not a request to a web page, I block it.
As the issue "security and SOAP" is very important IMHO, I realy would appreciate to get background infos and how to solve the issues WITH SOAP, not how to invent just another internet protocoll.
Regards,
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
The article states (I'm paraphrasing)-
SOAP is complex - yes it is. It is also powerful. Oftentimes, that's how things work out. Sometimes, when you're really lucky, simple will be powerful.
SOAP can go through firewalls - yes, it can also not. So what?
MS visual studio makes it too easy to make SOAP-speaking services. - first - there's nothing wrong with that. Second, that has nothing to do with SOAP, the protocol.
SOAP encourages developers to design their own protocols to transport SOAP data around - this is a terrible straw-man argument. I don't see where this is coming from.
The web has a unified namespace, SOAP does not - this is true. Probably the least invalid of the author's claims. But the 'X does something new, and does so in a new fashion, therefore X is less secure' taken to extreme would imply no new protocols would ever be created. I'm not saying that the author is saying nothing new should ever be created, but I am noting that his argument, to the extreme, would completely retard progress.
SOAP security literature is misleading, security rests with the developer - any specification for how to interchange data, and make actual changes to state, places an implicit burden of security on the developer of services of said protocol. SOAP is no exception. Neither is HTTP, or XML-RPC, or sending Comma-seperated values via FTP or carrier pigeon. The problem is not specific to SOAP.
SOAP is new and untested - another valid point. It is. It may become something very powerful and useful, in the future.
All that being said - I think that SOAP is overkill, does not address real legitimate needs at this time, and isn't going to become the panacea that many predict. But this article doesn't effectively attack SOAP's weaknesses, by focusing on the security problems 'inherent' in SOAP. Those security problems are the same for anything developed on top of, or as an extension to, HTTP. SOAP's weaknesses are its complexity, and that a subset of SOAP (say, a third of it) can solve 99% of the problems that SOAP purports to solve. I just had problems with some poorly-executed attacks on SOAP as a protocol. End Rant.
Why anyone would use SOAP is beyond me. Its a very complicated middle layer of proprietary logic and gobbly-gook code just to turn a message into a function.
I advise not useing it; complications in implementation, bugs, performance, debugging, and security just make it a bad choice.
As others have mentioned, the argument doesn't go deep enough, but that doesn't discredit the whole essay. The point about SOAP doesn scale is probably true of all RPC. Doing truly distributed computing isn't easy because the network is not reliable. Anyone thinks there won't be network latencies or that latencies won't be significant is in for a surprise. Put SOAP in the hands of an experienced programmer and you'll see the true power, but the power isn't in the protocol. It's in the developer implementing the solution. A tool is a tool.
For SOAP to gain acceptance, there needs to be clearer guidelines about dos/don't and other important development issues. Without it, it's just an invitation for a VB programmer to open up a server to hackers. Hackers will try, so it's the responsibility of IBM and Microsoft to set the standard. That's where SOAP has really failed in my min