LAS VEGAS — Web Services are growing as the solution for creating a more
connected and extensible enterprise, but its W3C XML security specification isn’t so secure.
ISecpartners researcher Brad Hill spent about an hour at the Black Hat show here making his case against the WS-Security stack and how it could be compromised by an attacker.
The solution to the problem identified by Hill may be in how WS-Security is
configured. The solution could be to fall back on the established SSL
(define) mechanisms of ensuring secured transport.
“SSL is getting an anti-cult following, and some argue that it’s not right
for the Web Services world,” Hill told the Black Hat audience. “I disagree.
SSL does almost everything you need for real-world Web service deployment.”
He added that there is a lot of complexity in dealing with what he thinks
are immature WS-Security standards.
For one, the attack surface of WS-Security is much bigger than that of SSL.
With message-oriented security, Hill said, you need to have messages
before you can do anything. That’s not the case with SSL, where the
attacker gets less to play with.
Hill referred to the WS-Security stack as a target-rich environment that is
open for attack. In contrast, SSL with client certificates keeps users out of the message stack unless authenticated.
In Hill’s assessment, WS-Security is not ready to use out of
the box like SSL is. With WS-Security developers need to determine when
to sign and encrypt, as well as decide on a token. And they need to decide on which order the sign, encrypt and get-token processes should occur.
In his analysis, using
WS-Security for signing and encryption also cuts application throughput between 5 percent and 50 percent.
At the heart of Hill’s criticism of WS-Security are XML digital certificates,
which he demonstrated to be unwieldy and large. Fundamentally, the goal of
XML digital certificates is to be able to sign digital content.
In gruesome detail, Hill discussed attack
vectors for every step of the signing process, going line by line through a basic XML digital
certificate that protected only a few words of text.
Among the issues he raised was the use of XSLT (define), which is in WS-Security and used to transform XML documents into other XML
documents. Hill noted that it would be very easy to create a loop with XSLT that could consume infinite resource with tiny messages.