Threats and Vulnerabilities of SOA

AMAN SAXENA ( MSCLIS, NLIU, BHOPAL)

Abstract
Service Oriented Architecture (SOA) is a new way of operating a network system, and as with
all new technologies, SOA is affected by several security vulnerabilities, thus affecting the speed
of its deployment in organization. Additionally, to implement access control it must be first
defined somewhere, and the rest of the system needs to be aware of the rules and respect them. .
In this report, Researcher describe some of the security threats and vulnerability faced by SOA
systems.

Key Words – SOA, Threats, Vulnerability, WSDL, UDDI

1. Introduction
Service oriented architecture is a technical concept – but non-technical readers can benefit by
understanding the basic, underlying concepts. Service oriented Architecture is a way of
organizing software so that companies can respond quickly to the changing requirements of the
marketplace. The technology is based on services, which are customized units of software that
run in a network. As any software concept, SOA is not suitable for all types of IT applications.
For example SOA is not suitable for real-time applications.
In recent years, Service Oriented Architecture (SOA) has emerged as a suitable means to develop
loosely coupled distributed systems. Today, Web services are a commonly used technology that
builds the foundation of SOAs and both intra and cross-organizational business processes. It is
estimated that 90% of most external attacks on applications take advantage of known
vulnerabilities and misconfigured systems.

2. Service Oriented Architecture

A service-oriented architecture is necessary a collection of services. These services communicate
with each other. The communication can involve either simple data passing or it could involve
two or more services coordinating some activity. Some means of connecting services to each
other is needed. Service oriented architectures are not a new thing. Service-oriented architecture
is an approach used to create an architecture based upon the use of services. Services carry out
some small function, such as producing data, validating a customer, or providing simple
analytical services.1 A service-oriented architecture is a style of software design where services
are provided to the other components by application components, through a communication
protocol over a network. The basic principles of service-oriented architecture are independent of
vendors, products and technologies. A service is a discrete unit of functionality that can be

1
Available at http://searchmicroservices.techtarget.com/definition /service-oriented-architecture- SOA accessed on
05:35pm 14Aug17
accessed remotely and acted upon and updated independently, such as retrieving a credit card
statement online.2

A service has four properties according to one of many definitions of SOA :-

 It logically represents a business activity with a specified outcome.

 It is self-contained.
 It is a black box for its consumers.
 It may consist of other underlying services.3
3. Threats
A threat is something that may or may not happen, but it is likely to cause serious damage. The
possibilities of attacks in computer systems, networks, and more, there are potential threats to
vulnerabilities, threats may include everything from viruses, Trojans4, backdoors5 etc.6

3.1 Threats on Identity of data

Dictionary Attacks The attacker’s goal is to obtain passwords. An attacker systematically tests
all possible passwords to perform dictionary attack. To perform dictionary attack means trying
every word in the dictionary until matching password is found. Most password-based
authentication algorithms are vulnerable to dictionary attacks.

IP Spoofing Performing IP-spoofing attack, an attacker fakes IP address to deceive receiver to

believe it is sent from a location that it is not actually from.

Data Tampering Data tampering occurs when an attacker changes or modifies legitimate data
with illegal data, while it passes over the network.

3.2 Threats on Session of Web Service Transactions

Web service provider establishes session in communication with service requester as a web
service application request and response. Performing session attacks the attackers may capture
messages or insert false instructions.7

Replay Attacks The Web service provider establishes sessions in communication with the
service requester as a Web service application request and response. The attacker can capture the
browsing session display message or insert a false command.

2
Available at http://www.secc.org.eg/recocape/Documents/SECC_Tutorials_A%20Quick%20Introduction% 20to%
20SOA.pdf 06:00pm 14Aug17
3
Available at http://www.javaworld.com/article/2071889/soa/what-is-service-oriented-architecture.html 6:15pm
14Aug17
4
Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-
thieves and hackers trying to gain access to users' systems
5
A back door is a means of access to a computer program that bypasses security mechanisms
6
Available at http://www.springer.com/978-3-540-87741-7 3:00pm 12Aug17
7
Available at http://research.ijcaonline.org/volume120/number4/pxc3903929 3:45pm 12Aug17

2
Man-in-the-middle Attacks A person intercepts both the client and server communications and
then acts as an intermediary between the two without each ever knowing.

3.3 Threats on Parsing data

Oversized Payloads The attacker attempts to overload the parser by sending unlimited file size,
in order to make Denial-of-Service.

Schema Poisoning Schema poisoning is the ability to manipulate a schema either by replacing
or modifying it to compromise the programs that process documents that use this schema.
Possible attacks are denial of service attacks by modifying the schema so that it does not contain
required information for subsequent processing.8

3.4 Threats on Web Service Code

SQL Injection SQL injection occurs when untrusted data is sent to an interpreter9 as part of a
command or query. for example trying to receive data that it is not authorized to access, or even
destroy the data.

3.5 Threats on WSDL

The attackers analyze and misuse WSDL10 information and tamper with parameters within
WSDL documents. WSDL document includes all of the operations that are available to the
consumers.

WSDL Scanning A WSDL document contains information such as the list of web-methods, the
parameters for those methods, and types of I/O. Lindstrom points out that through scanning the
WSDL document an attacker may reveal sensitive information like types, messages, operations,
port types, bindings, and guess other methods.

Parameter Tampering According to Lindstrom, the attackers manipulate the parameters for
obtaining unauthorized information. If so, the attacker can inject the malicious code into the
XML parameter. A parameter is the purpose of tampering attacks to modify the standards sent
between the user and the application.

XML Wrapping If the attackers successfully get the WSDL file, they may exploit XML
wrapping to bypass authentication. XML wrapping works more or less in the same way as SQL
injection. Because of the message send by user is in XML format, all the input data will be
wrapped into XML tags, called elements.

8
Available at https://capec.mitre.org/data/definitions/146.html 12:30am 13Aug17
9
An interpreter translates high-level instructions into an intermediate form, which it then executes.
10
The Web Services Description Language is an XML-based interface definition language that is used for
describing the functionality offered by a web service

3
3.6 Overflow Attacks
Buffer Overflow Attacks When performing a buffer overflow attack, an attacker put a larger
amount of data than expected into program variable. The amount of memory, reserved for the
operation becomes smaller than the amount of data written to the memory.

3.7 DoS Attacks

In denial of service (DoS) invasion, the main goal of the attacker is to reveal the information that
the Web service server can use to crash. The DOS attacker can perform a attack on the proxy
server with the target of making a router, firewall, or make them pointless. By attacking the
proxy server, for example, an attacker can redirect your malicious traffic to your advantage.

Denial-of-Service (DoS) Attack Denial of service (DoS) is the process of making a system or
application unavailable. An attacker tries to prevent legitimate users from accessing a service by
flooding the service with thousands of request or we can say that DoS attack might be
accomplished by bombarding a server with requests to consume all available system resources.11

4. Vulnerabilities
Vulnerability is a weakness that can be used to cause the system to be defective, which can
eventually lead to some loss or damage. However, all vulnerability cannot be exploited. SOA is a
type of middleware. It is affecting the hardware affected by classical security vulnerabilities,
operating systems, and in turn software created using any operating system. SOA is also affected
by Web application vulnerabilities because it is usually built on top of web protocols.12

Business Processes Layer Vulnerabilities

Web Services Layer Vulnerabilities

Web Application Vulnerabilities

Classical Vulnerabilities in Hardware, Operating

Systems and Software

11
Available at searchsecurity.techtarget.com › Denial of service 1:30am 13Aug17
12
Available at https://us.norton.com/online-threats/microsoftwindowsuddiservicescve-2015-2475crosssitescrip-
76259-vulnerability.html 2:30am 13AUG17

4
4.1 Classical Vulnerabilities
Classical security vulnerabilities are those that can be exploited without using more recent Web
technologies.

4.2 Web application vulnerabilities

The Web Application Security Consortium created the Web Security Threat Classification which
clarifies and organizes Web applications vulnerabilities, and develops and promotes an industry
standard terminology for describing those vulnerabilities. Similarly, the Open Web Applications
Security Project (OWASP) maintains and classifies some of the most critical Web application
vulnerabilities.13

Cross-site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.14

Cross Site Request Forgery (CSRF) CSRF attacks are the opposite of the XSS attacks. Cross-
Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email,
blog, instant message, or program causes a user’s web browser to perform an unwanted action on
a trusted site for which the user is currently authenticated. The impact of a successful CSRF
attack is limited to the capabilities exposed by the vulnerable application.

session management Flaws used in authentication protocols may be exploited to capture

authentication credentials and gain unauthorized access. If a Web site does not use appropriate
transport layer security such as SSL/TLS , then the authentication credentials sent in plain text
may be captured by rogue users/organizations and misused.

Security misconfiguration If a Web site’s security is not configured correctly, an attacker may
exploit such a vulnerability to gain unauthorized access.

4.3 Web Services Layer Vulnerabilities

WSDL scanning A Web service’s WSDL statement advertises its operations, parameters and
network bindings. Some of these (internal) operations are to be used only by the service
provider, for example, administrative operations. The rest of the operations (external operations)
may be invoked by any service consumer. As a Web service’s end point is available in its WSDL
statement, an attacker can try to guess its internal operation’s name and invoke it via the
endpoint. Such an attack is called WSDL scanning.

13
Available at www.dtic.mil/get-tr-doc/pdf?AD=ADA576267 1:00pm 13Aug17
14
Available at https://www.owasp.org 11:00am 15Aug17

5
Metadata spoofing An attacker may modify Web service-related metadata such as a WSDL
statement or associated WS-Security policy. For instance, the Web service’s endpoint may be
modified for the attacker to establish a man-in-the-middle attack for eavesdropping or even
worse modification of Web service data. In order to mitigate such attacks service consumers
must carefully verify the authenticity of Web service metadata.

4.4 Business Processes Layer Vulnerabilities

BPEL scanning A Business process’s WS-BPEL (BPEL) statement may be subjected to a
‘BPEL scanning’ attack similar to the WSDL scanning attack described earlier. Mitigation
strategies similar to the WSDL scanning attack described above may be applied.15

Metadata spoofing Metadata spoofing described earlier (for Web services) is also applicable to
the business processes. For instance, an attacker may modify a business process’s endpoint
references in its BPEL statement. Mitigation strategies similar to those for the metadata spoofing
attack described above for the Web services layer may be applied.

BPEL state deviation A BPEL engine may have many process instances running at the same
time and communication endpoints open at all times to receive incoming messages. An attacker
can flood an engine on those endpoints with many BPEL messages that conform to the schema
but have no meaningful content. The computational resources of the BPEL engine quickly
become exhausted if such an attack happens. In order to mitigate such attacks, as few
computational resources as possible should be used to reject such invalid messages.

4.5 UDDI Vulnerabilities

Web Service requesters can query the Universal Business Registry (UBR) to determine the
details of the services for them to use. From UDDI, the web service client can discover
information about the service name, services provided by the web service publisher and the
details of the WSDL file used to invoke the service as well as the location of the service. The
attacker can utilize the information in order to perform attacks.16

4.6 Attacks based on Reconnaissance

The attackers can investigate and collect information from openly available sources like WHOIS
databases and DNS servers. This information enables the attackers to try to access unauthorized
web services.

15
Business Process Execution Language (BPEL) defines a notation for specifying business process behavior based
on Web Services
16
Available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465.4469&rep=rep1&type 12:15pm
15Aug17

6
4.6 HTTP Header Manipulation
HTTP header consists of control information that is passed between the client and server. The
attacker can write his/her own program to manipulate the HTTP headers by handling requests
which results the target service is attacked.

4.7 Threats on Broken Access Control

This occurs when restrictions on what authenticated users are authorized to do are not properly
enforced. For example, if there is no proper access control is defined, an attacker can try to
access other web service methods of the same web service or different web service running on
the same web server using the login privileges given for accessing certain web methods.

5. Conclusion and Suggestion

In this report, Researcher described common web services layer and business layer
vulnerabilities posing threats to SOA systems. SOA is rapidly becoming the design paradigm of
choice for enterprise information technology. SOA is affected by classical system vulnerabilities
and Web application vulnerabilities as it is built upon and leverages classical and Web
application technologies.

There is a need for integrated architecture which can provide robust protection against a
complete spectrum of threats.

6. References
 http://www.secc.org.eg/recocape/Documents/SECC_Tutorials_A%20Quick%20Introduct
ion%20to%20SOA.pdf
 https://msdn.microsoft.com/en-gb/library/ff648318.aspx
 http://ieeexplore.ieee.org/document/6320751/?part=1
 https://www.owasp.org
 www.csonline.com
 liris.cnrs.fr/.../Y-Badr-Challenges-of-Security-Risks-in-Service-Oriented%20Architect