On Sa, 2009-03-21 at 13:13 +0100, Andreas Veithen wrote: > On Sat, Mar 21, 2009 at 05:50, Asankha C. Perera <[email protected]> wrote: > > HI Simon > >> > >> My name is Simon and I am a student at the KTH in Stockholm/Sweden. > >> Right now I am doing a little thesis work with the topic "Security > >> Framework for Web-Services". During my research I found the synapse tool > >> and it really totally fits my needs. > >> > > > > Cool.. glad to hear that! > >> > >> Here is what I plan to do: > >> -Using Synapse for applying WS-Security standards to messages (Digital > >> Signature, Encryption, ..) > >> -Using Synapse to filter out dangerous parts of messages to apply > >> Aplication Security > >> > >> While the first part, concerning the network layer security, is based on > >> mature methods and technologies, it is only about applying the standards > >> to the message. The second part however, concering the application layer > >> security, needs some further research about common attacks on > >> web-services. > >> > >> Until now I thought about filtering ' to prevent a SQL Injection or to > >> filter/annotate HTML tags, to prevent code injection. As you can see > >> this part is still a bit fuzzy. > >> > > > > I am not familiar with this area, but I do not think typical "web services" > > expose themselves for SQL injection or HTML within the payloads etc.. Do you > > have any concrete evidence related to this to select this area? > > I'm also not familiar with that area, but I would assume that the > exposure to this kind of attacks is similar to what we see in Web > applications. A typical example in the Java world is code building > parameterized SQL statements using string manipulations instead of > PreparedStatements. I don't see why this would be less frequent in Web > service implementations than in Web applications. >
I agree with Andreas in this point. Previous works in this area also showed vulnerabilities of that kind in a big number of actually deployed services. The problem here is, that when writing a usual java programm you usually dont care about protection on this level, since the access is not public. When exposing this POJO as a Web-Service it seems as if a lot people/companies dont review their code to eliminate such problems. That is THE advantage of using a mediator like Synapse. There is no need to change a single line of application code of your services to protect them. > >> > >> Has anyone of you some more ideas about that? > >> > > > > You could also join the Apache Rampart mailing lists where the WS-Security > > experts hang in, and get their views which should be more useful to you.. > >> > >> I also appreciate ideas about the other parts and the whole project! > >> > > > > I am not sure how much time you could afford to keep looking at Synapse > > during your studies, but if you are interested to contribute to the project > > and/or get involved with say a GSoC project etc, let us know > > > > cheers > > asankha > > > > -- > > Asankha C. Perera > > AdroitLogic, http://adroitlogic.org > > > > http://esbmagic.blogspot.com > > > > > > > > > > Regards Simon
