On Sat, Mar 21, 2009 at 05:50, Asankha C. Perera <[email protected]> wrote: > HI Simon >> >> My name is Simon and I am a student at the KTH in Stockholm/Sweden. >> Right now I am doing a little thesis work with the topic "Security >> Framework for Web-Services". During my research I found the synapse tool >> and it really totally fits my needs. >> > > Cool.. glad to hear that! >> >> Here is what I plan to do: >> -Using Synapse for applying WS-Security standards to messages (Digital >> Signature, Encryption, ..) >> -Using Synapse to filter out dangerous parts of messages to apply >> Aplication Security >> >> While the first part, concerning the network layer security, is based on >> mature methods and technologies, it is only about applying the standards >> to the message. The second part however, concering the application layer >> security, needs some further research about common attacks on >> web-services. >> >> Until now I thought about filtering ' to prevent a SQL Injection or to >> filter/annotate HTML tags, to prevent code injection. As you can see >> this part is still a bit fuzzy. >> > > I am not familiar with this area, but I do not think typical "web services" > expose themselves for SQL injection or HTML within the payloads etc.. Do you > have any concrete evidence related to this to select this area?
I'm also not familiar with that area, but I would assume that the exposure to this kind of attacks is similar to what we see in Web applications. A typical example in the Java world is code building parameterized SQL statements using string manipulations instead of PreparedStatements. I don't see why this would be less frequent in Web service implementations than in Web applications. >> >> Has anyone of you some more ideas about that? >> > > You could also join the Apache Rampart mailing lists where the WS-Security > experts hang in, and get their views which should be more useful to you.. >> >> I also appreciate ideas about the other parts and the whole project! >> > > I am not sure how much time you could afford to keep looking at Synapse > during your studies, but if you are interested to contribute to the project > and/or get involved with say a GSoC project etc, let us know > > cheers > asankha > > -- > Asankha C. Perera > AdroitLogic, http://adroitlogic.org > > http://esbmagic.blogspot.com > > > > >
