Vulnerable Cloud: SOAP Message Security Validation Revisited

Author

Gruschka, Nils ; Iacono, Luigi Lo

Author_Institution

NEC Labs. Eur., Sankt Augustin, Germany

fYear

2009

fDate

6-10 July 2009

Firstpage

625

Lastpage

631

Abstract

The service-oriented architecture paradigm is influencing modern software systems remarkably and Web services are a common technology to implement such systems. However, the numerous Web service standard specifications and especially their ambiguity result in a high complexity which opens the door for security-critical mistakes.This paper aims on raising awareness of this issue while discussing a vulnerability in Amazonpsilas Elastic Compute Cloud (EC2) services to XML wrapping attacks, which has since been resolved as a result of our findings and disclosure. More importantly, this paper discusses the verification steps required to effectively validate an incoming SOAP request. It reviews the available work in the light of the discovered Amazon EC2 vulnerability and provides a practical guideline for achieving a robust and effective SOAP message security validation mechanism.

Keywords

Web services; formal specification; message authentication; program verification; software architecture; Elastic Compute Cloud services; SOAP message security validation; Web service; XML wrapping attack; service-oriented architecture paradigm; vulnerable Cloud; Cloud computing; Guidelines; Robustness; Security; Service oriented architecture; Simple object access protocol; Software systems; Web services; Wrapping; XML; Cloud Computing; Web Service Security; XML Wrapping Attack;

fLanguage

English

Publisher

ieee

Conference_Titel

Web Services, 2009. ICWS 2009. IEEE International Conference on

Conference_Location

Los Angeles, CA

Print_ISBN

978-0-7695-3709-2

Type

conf

DOI

10.1109/ICWS.2009.70

Filename

5175877