| Technique |
Description |
Protection |
| Schema Poisoning |
Manipulating the XML Schema to alter processing information |
Protect against schema poisoning by relying on trusted WSDL documents and XML Schema's |
| XML Parameter Tampering |
Injection of malicious scripts or content into request parameters |
Validation of parameter values to ensure they are consistent with WSDL and XML Schema specifications |
| Inadvertent XML DoS |
Poorly encoded SOAP messages causing the application to fail |
Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema and intrusion prevention rules |
| WSDL Scanning |
Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities |
Web services cloaking hides the web services true location from consumers |
| Oversized Payload |
Sending oversized messages to create an XDoS attack |
Inspect the payload and enforce element, document, and other maximum payload thresholds |
| Recursive Payload |
Sending mass amounts of nested data to create an XDoS attack against the XML parser |
Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema, and other security specifications |
| XML Routing Detours |
Redirecting sensitive data within the XML path |
WSDL virtualization enforces strict routing behavior |
| SQL Injection |
SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data |
Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques |
| External Entity Attack |
An attack on an application that parses XML input from un-trusted sources |
Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs |
| Malicious Code Injection |
Scripts embedded within a SOAP message can be delivered directly to applications and databases; traditional binary executables and viruses attached to SOAP payloads |
Content inspection of SOAP attachments ensures messages contain legitimate content as defined in the WSDL, XML Schema and content security policies |
| Identity Centric Attack |
Credentials are forged or impersonated in an attempt to access sensitive data |
Enforce basic or strong authentication at the SOAP message level with auditing and logging for forensic analysis |
Press Releases
