Blue Coat Research Report Sample

The expanding use of Web services creates some new security challenges. Part of this challenge stems from the fact that in most instances, the blueprint for Web services communication is outlined in Web Services Description Language (WSDL) documents. These documents are intended to serve as a guide to an IT organization’s Web services. Unfortunately, they can also serve to guide security attacks against the organization. Assuming that a hacker has gained access to an organization’s WSDL document, the hacker can then begin to look for vulnerabilities in the system. For example, by seeing how the system reacts to invalid data that the hacker has intentionally submitted, the hacker can learn a great deal about the underlying technology and can use this knowledge to further exploit the system.

If the goal of the hacker is to create a denial of service attack or degrade application performance, the hacker could exploit the verbose nature of both XML and SOAP 6. When a Web services message is received, the first step the system takes is to read through, or parse, the elements of the message. As part of parsing the message, parameters are extracted and content is inserted into databases. The amount of work required by XML parsing is directly affected by the size of the SOAP message.

Because of this, the hacker could submit excessively large payloads that would consume an inordinate amount of system resources and hence severely degrade application performance.