Think your Web services environment is safe? Think again. XML-based Web services are subject to the same malicious attacks that exploit XML. With XML increasingly becoming the lingua franca for online business transactions, the threat of these attacks intensifies.

The popular Web Services Security (WSS) 1.0 standard addresses authentication and authorization, but not SQL Injection and other attacks. The three basic threats to Web services and XML are conventional identity-based attacks, malicious content attacks and operational attacks.

Identity-based attacks are germane to any exchange over HTTP. Although Web services aren't restricted to riding atop HTTP, most SOAP (Simple Object Access Protocol) traffic is implemented this way. WSS 1.0 provides a set of authentication and authorization standards for preventing conventional identity attacks.

Existing XML security-focused standards, such as XML-Encryption and XML-Signature, secure against these attacks at the application layer. Transport layer security-SSL for HTTP and TLS for SMTP-can alleviate the potential for eavesdropping. But Web services can't rely on these methods because they sometimes require a SOAP intermediary node to process the document before forwarding it to the endpoint. As with intrusion-detection systems and load balancers, transport-layer encryption interrupts these devices, so it can't function as your total security solution. Encryption services and identity verification must occur at the application layer.

Malicious content attacks, meanwhile, try to force a SOAP endpoint (server) to do something it wasn't meant to do-such as retrieve data it's not authorized to access, or even destroy data through SQL Injection and manipulate content within a SOAP message. The result: The receiving endpoint consumes excessive resources and crashes or becomes unresponsive.

Operational attacks produce a denial of service. Like malicious content attacks, they typically manipulate the XML message or the schema to tie up server resources.

Token Security

Several standards address application-layer security, which extends to Web services and SOAP:

* XML-Encryption provides full- or partial-message encryption.

* XML-Digital Signatures let a sender cryptographically sign messages, which can then be used as authentication credentials or a way to check data integrity.

* XML-Schema can be used to define an XML message's appearance. It also can guard against some content-based attacks, such as buffer overflow and SQL/XQuery Injection.

Both XML-Encryption and XML-Digital Signatures allow for partial message...