Web Services Security - The Basics

By balaji

April 17, 2010

Wiki defines Web services as "Application programming interfaces (API) or web APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services". So putting this down in simpler words, it is a function of the application that can be made available for use for other developers to integrate it into their applications.

Wiki defines Web services as "Application programming interfaces (API) or web APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services". So putting this down in simpler words, it is a function of the application that can be made available for use for other developers to integrate it into their applications.

Say I have a piece of code which precisely calculates the age of any girl based on 5 questions and their answers. Believe me this is really a difficult piece of code and everyone will wish to have it on their website. Now if I publish this code as a service, you as a developer can simply use this service and integrate into your application instead of itching your gray cells and trying to write one of your own. Since web services can be used to connect to data sources from even outside the enterprise, they are prone to hacker attacks.

Before moving towards basic security concepts lets first understand the four technologies that form the basis of web services:

  1. Extensible Markup Language (XML):
    1. XML is plain text.
    2. XML was designed to carry data, not to display data
    3. XML tags are not predefined. You must define your own tags
    4. XML is designed to be self-descriptive
    5. XML is the standard of web services standards.
  2. Simple Object Access Protocol (SOAP):
    1. SOAP is a communication protocol
    2. SOAP is a format for sending messages
    3. SOAP is designed to communicate via Internet
    4. SOAP is platform independent
    5. SOAP is language independent
    6. SOAP is based on XML
    7. SOAP is simple and extensible
    8. SOAP allows you to get around firewalls

    SOAP consists of 2 parts, the header which contains information about SOAP messages like management and securing the message etc and the other part is the body which contains the message payload.

  3. Web Services Description Language (WSDL):
    1. WSDL is used to describe Web services
    2. WSDL is used to locate Web services
    3. WSDL describes the set of operations the web service provides.
    4. WSDL is a set of rules to describe your web service & how you can communicate with my web services, how & what messages will be sent in SOAP envelope.
  4. Universal Description, Discovery & Integration (UDDI):
    1. UDDI is a directory for storing information about web services
    2. UDDI is a directory of web service interfaces described by WSDL
    3. UDDI defines the set of services supporting the description & discovery of other web services providers, the web services they make available & the interfaces which may be used to access this services.

Web Services thus aim to deliver interoperability and reusability thus helping different business applications to talk/transact across multiple platforms. And like any other technology, even Web Services do not have security incorporated or enabled by default. Web Services Security can broadly be divided into two categories: interface and implementation security and message security.

Interface and implementation security includes controls such as Secure Socket Layer (SSL), Access Control Lists (ACL) etc. These are the basic web based security implementations.

For message security, XML mechanisms such as WS-Security, the Security Assertion Markup Language (SAML), XML Signature and XML Encryption can sign, encrypt, and authenticate message data. Thus the trust in confidentiality and authenticity in the transit of data increases giving a greater sense of security. Let us have their quick overview.

XML Signature

Defines XML syntax for digital signatures. Also referred as XML DSig, it is more flexible than PGP and other form of digital signatures as the fact that it operates on XML infoset rather than binary data. (XML infoset in simpler words is describing XML document as a data model in terms of information items). It is core to WS-Security, XKMS, and other Web services security standards. It provides integrity and non-repudiation, and can play a vital role in the process of key sharing that is needed by XML Encryption.

Another important concept is canonicalization. Verifying data integrity in XML is particularly challenging since the differences in platforms and XML parsers can result in logically equivalent documents being physically different. So canonicalization signs only the necessary element, eliminating meaningless differences like white space and line endings.

XML Encryption

XML Encryption provides end-to-end security for applications that require secure exchange of structured data. XML-based encryption is the best suited way to handle complex XML requirements for security in data interchange applications. TLS/SSL is originally used to encrypt the data. However XML encryption provides a mechanism for security requirements that are not covered by SSL. The following are the two important areas not addressed by SSL:

  • Encrypting part of the data being exchanged
  • Secure sessions between more than two parties

XML encryption are divided into two main parts:

  • Symmetric encryption for data transfer
  • Asymmetric encryption to exchange the eyes which can be used for data transfer later.

XML Encryption applies standard algorithms to data and then stores that encrypted result in XML.


Security Assertion Markup Language is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Assertion applies to an individual or entity which is attached to the message. Thus in short SAML provides a set of rules that can be used to obtain these assertions from trusted third party services that make authorization and authentication decisions about individuals and entities. After the authority makes its assertion, SAML also provides a way to exchange the information.

Also the other single most important problem that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem


WS-Security deals more with SOAP security and is the member of WS-* family of web service specifications which were published by OASIS. The protocol specifies how integrity and confidentiality can be enforced on messages and it abstracts different security technologies into claims and tokens. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

WS-Security describes three main mechanisms:

  • How to sign SOAP messages (using XML signatures) to assure integrity and non-repudiation.
  • How to encrypt SOAP messages (using XML encryption) to assure confidentiality.
  • How to apply for security token, hoe to link them to identity & how they are attached to web services.


Other than above mentioned basic controls, auditing should also be enabled. This can help detect any "broken into" kind of requests. They can also reveal larger weaknesses that might affect regulatory compliance and even corporate governance. Auditing can basically include the following categories:

  • Authentication, Authorization & Access
  • Data Changes & Application Changes
  • Threats such as invalid inputs
  • Resource management
  • Startups & Shutdown events
  • Faults & Errors

Other Concerns

Other issues which needs to be considered while securing web services include:

  1. Brute force attack: Proper measures should be in place to avoid brute force attacks to gain privilege access. Recently improper controls against brute force attack on Yahoo web services was in the news. The attacker was able to gain login credentials for hundreds of users (with weak passwords). The account must be locked out after specified number of incorrect login attempts.
  2. Spoofing attack: An attack can spoof user information to gain unauthorized access. If the compromised credentials belong to an administrator account, the outcome can be worse. Proper authentication mechanism can help tackle spoofing attacks.
  3. Security bugs: Bugs in the application can be used by attacker to launch attacks like XPATH/SQL injection, Input variable manipulation etc. The user input should be proper validated.
  4. XML Denial of Service attack: The vulnerability mainly exists in the XML parser. Specially crafted payloads can bring the XML parser down to its knees. Some known attacks are XML Bombs, External Entity attacks. There are various ways to defend against DoS attacks like disabling unwanted services like inline DTD schemas in our XML parsing object, securely configuring the behavior of XmlReader etc.

Thus we have done a brief walk-through of security concepts and controls that can be implemented in Web Services. Controls for encryption, authentication, authorization, non-repudiation and availability when implemented correctly can help protect your web services against preying eyes of hackers.


Tags: Features