2009 IEEE International Conference on Web Services (2009)
Los Angeles, CA
July 6, 2009 to July 10, 2009
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ICWS.2009.70
The service-oriented architecture paradigm is influencing modern software systems remarkably and Web Services are a common technology to implement such systems. However, the numerous Web Service standard specifications and especially their ambiguity result in a high complexity which opens the door for security-critical mistakes.This paper aims on raising awareness of this issue while discussing a vulnerability in Amazon’s Elastic Compute Cloud (EC2) services to XML wrapping attacks, which has since been resolved as a result of our findings and disclosure. More importantly, this paper discusses the verification steps required to effectively validate an incoming SOAP request. It reviews the available work in the light of the discovered Amazon EC2 vulnerability and provides a practical guideline for achieving a robust and effective SOAP message security validation mechanism.
Web Service Security, XML Wrapping Attack, Cloud Computing
L. L. Iacono and N. Gruschka, "Vulnerable Cloud: SOAP Message Security Validation Revisited," 2009 IEEE International Conference on Web Services(ICWS), Los Angeles, CA, 2009, pp. 625-631.