Web service Security{REST/SOAP}

  • Basic Authentication: Sending Base64-encoded combination of username:password to the Webservice  server. ex: base64(vaibs:polo) will be something like  “NJjks2njL8” . On server side the same info will be decoded to check for the authentication with database/LDAP/Any other Auth medium. More secure ways to authenticate is Digest(MD). Client send md5 hashe username:password combination to the WS server. WS server

  • WS-Security: Security config XMl on WS server. Designed for SOAP based auth specially.[specific to SOAP]
  • Public/Private Key Authentication.
  • Token based : OAuth2.0
  • Protecting HTTP methods. [ex: If POST method is valid for a user, Get/DELETE/PUT implementation should not be present or accessible.]
  • Always validating the incoming  content-type[if not valid, shows 406 Not Acceptable response].
  • Limiting the number of request per ip to the webservice  for a defined time frame to prevent Request flooding. [Request can be text, xml , json….]
  • Prohibiting as many special characters as possible to restrict XSS,XPATH injection.
  • Avoiding  replay attack by introducing a random complex strings while intercommunication[req/resp] b/w browser and Webservice.
  • JSON/XML encoding must be done on the user supplied data properly before the execution of user supplied data on the browser.
  • Always limit the size of SOAP message to avoid Dos attack that will try to consume 100% memory of the server if webservice allows any request.

 

PS: The best to secure the intergration layer[] is to go for multiple combinations of different ways out of above based upon the requirement.

One thought on “Web service Security{REST/SOAP}

  1. Very well summarized. I agree with you upon choosing a hybrid logic to implement the security around the app.

    Can you please demonstrate any vulnerable and secure version of the same REST/SOAP Java webservice with example ?
    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image
Refresh

*