Secure E-business Transactions By Securing Web Services

Transcription

1 2012 International Conference on Management of e-commerce and e-government Secure E-business Transactions By Securing Web Services Ahmad Tasnim Siddiqui College of Computers & IT Taif University Taif, Saudi Arabia Arun Kumar Singh Dept. of Computer Science Jazan University Jazan, Saudi Arabia Abstract Due to the popularity of internet and the growth of e- business, the world became very small. Everyday people are using internet as the medium of transaction of millions of dollars from one account to another. The web services are playing very crucial role in online transactions. That s why we have to think about the security of our entire transactions as well as web services. Web service transaction should be of major concern. Many technologies available which are providing web service facilities, for example java,.net etc. There are various options available to make web services secure. We can choose any options from protocols based, platform based or message based security. There are securities which can be IIS based, Asp.net based and SSL etc. Various threats to web services and e-business are also present. Threats like unauthorized access, alteration, disclosure of very important data, message reply etc. Anyone can hack the WSDL information and can get into downloadable files. While designing and developing the web services we have to think about code access security. In this.net technology is being used for most of the examples.in this paper, the possibility of reducing the business cost through e-business is being explored. Keywords-web service;web service security; threat to web services; web service security requirements; web service and e- business security I. INTRODUCTION As Before entering into the inside story we should know about the web services. According to the World Wide Web Consortium (W3C), Web Service is a software system designed to support interoperable machine-to-machine interaction over a network 1. Web service provides distributed computing for creating, publishing, discovering and consuming the services over internet. Simon defines web services as, Web services = XML + SOAP + WSDL + UDDI. Web service is a software system which is identified by a URI and completely binded and described by XML 2. A web service is used to invoke the remote methods by using SOAP (Simple Object Access Protocol). SOAP uses XML standards (protocols and formats) which are responsible to call methods over the HTTP. If we are using.net technology, then it is very easy to create and use the web services through ASP.NET with code behind in C# or VB.NET. SOAP headers can be defined and processed using ASP.NET technology. Figure 1. Development phased of web services While using web services and performing million dollars of transactions we have to think about the main web service threats like unauthorized access, data alteration, message reply and disclosure of configuration file. In ASP.Net we can create a web service by using Microsoft Visual Studio (2003/2005/2008/2010). Web service contains web methods where we are writing the code and when we are consuming the web service, we are accessing these web methods. The code snippet may look like: <%@ WebService Language="C#" class="mywebclass" %>3 using System.Web.Services; public class MyWebClass { } [WebMethod()] public int Multi ( int p, int q) { } return p*q; /12 $ IEEE DOI /ICMeCG

2 The GUI or rendered page will look like: <html> <body> <form action=" method="post"> </form> </body> </html> <input name="p"></input> <input name="q"></input> <input type="submit" value="multiply"> </input> Not just we have to develop and deploy the web service but we have to be aware of all the security threats to our web services. We have to think about the type of threats and the solution to protect against any attacks like Denial of Service, unauthorized access, injections, disclosure of configuration data session hacking etc. We have to check proper authentication and authorization of users who are requesting the service to consume. II. COMMON WEB SERVICE THREATS While building and deploying secure web services, we should know the threats associated to the web services. Few major threats to the web services can be summarized as: Unauthorized access Data Alteration Spying network privacy Disclosure of configuration file/data Message replay SQL Injection Scanning and Access of WSDL Identity Spoofing A. Unauthorized Access While creating and deploying any web service we have to restrict all the information s to unauthorized users. We should authenticate and authorize the caller of the service by using strong authentication and authorization. We can prevent such type of things by restricting the sensitive information passing in the SOAP headers, the communication channel to be used should be encrypted with strong encryption techniques. We can check for Authentication, Authorization and Parameter manipulations. While creating a web service in ASP.net, it provides support to perform all these actions. Figure 2. Threat to Web Service Security (source: Authentication refers to the authenticated caller of web service. There are many schemes available for authentication purpose. Basically they are4: Platform level authentication Message level authentication Application level authentication In IIS we can configure the virtual directory of a web service to perform basic level authentication. This approach will enforce the consumer to configure the proxy and provide the user s credentials. We can also configure IIS to integrated windows authentication. a) Guidelines for web services security There are mainly six important security considerations which are outlined by World Wide Web Consortium (W3C). They are5: Authentication: It guarantees that anyone can access the web service by producing their identities. Authorization: It guarantees that only the authentic person has is able to access the web service. Confidentiality: In confidentiality, it provides the security and protection from secret listeners. Integrity: It means that the message was not altered or modified in its path. Non-repudiation: It assures that the sender of the message can t deny that they sent it at a later point in time. Accessibility: It means that the service is always accessible and that it is not afflicted by attacks, like denial-of-service. b) Web service security using HTTP We can secure web service transactions by using basic authorization of HTTP, by using HTTPS which is combination of HTTP with SSL http:// 80

3 B. Data Alteration Data alteration means the data modification by unauthorized access. It means, the data is intercepted in a web service message, somewhere in between the origin and its destination, and then it is modified before sending to its desired endpoint. The data alteration happens to the messages that are not digitally signed and also to those messages that are not properly encrypted with strong encryption mechanisms to provide privacy and tamper proofing. C. Spying Network Privacy With network spying, any hacker can be able to view Web service messages as they are flowing into entire network. There are many third party tools available to monitor the network system and they also provide the facility to store the important data which is into the SOAP headers. We have to think twice while passing sensitive information s like user credentials into the SOAP, if it is required then we should use some strong encryption mechanisms at each level. We should have implemented basic security measures to get protected against spying of network. We should have firewalls configured. Firewalls are very important part of the computer which is responsible for the security of networked computers. These days there are worms and Trojans running all the time and they are targeting the objects randomly. To get protected from all these attacks we should have configured the firewalls. The first purpose of a firewall is filtering of data packets. It is to filter the network traffic. Either it is a software firewall or hardware firewall. Firewalls are of basically two types: Network firewalls Host-based firewalls. Example of network firewall is Microsoft s ISA (Internet Security and Acceleration) server and host-based firewall can be Internet Connection Firewalls. ICF comes along with windows XP and Windows Server Figure 3. ICF connection firewall (source: technet.microsoft.com) By enabling the ICF we are increasing the security of the entire network. ICF is also called as state full firewall. ICF protects from incoming scans, many Trojans and anonymous connections and file sharing over the internet. For the companies security is very important factor. They should implement the multilayered firewall by placing in between front-end web servers and back-end database servers6. D. Disclosure of Configuration Data It means the exposure of sensitive information to public or individuals. Public or individuals means the persons who are not authorized to view the sensitive information. Web service configuration data is very important. Disclosure of web service data can be done by providing WSDL information in downloadable file which is normally present at the web server. So, to secure the web service and the configuration, we have to also secure the web server first. In WSDL, there is information about the characteristics of web service e.g. its method signature etc. We have to provide the proper exception handling to handle every type of exception. E. Message Replay If a web service is attacked by a hacker, normally it is captured and copied by them and after that the same message is replayed again and again after modifications or non modifications. It is very realistic attack to web services. Message reply can cause to Denial of Service or it may lead to duplicate transactions. This scenario comes when messages are not encrypted and not digitally signed. If there is no unique ID then it is very difficult to detect duplicated messages. The detection technique requires that each and every message should be identified uniquely. We can also use unique identifier7. Message detection is a technique in which it allows user s code to detect the instances where hackers are trying for message replay. Normally they steal the user s session. Message replay attack is sometimes also known as man in middle attack. F. SQL Injections SQL Injection is a type of attack where some nasty codes are passed into an instance of SQL server. It is a very common vulnerability. It uses the technique by which an attacker is able to execute unauthorized SQL commands and queries in a web application. Every procedure should be checked deeply and carefully for the maliciousness. Normally SQL injection is used to insert the code directly into the user s input. These inputs are then concatenated with SQL commands for execution purpose. The SQL injection process works by inserting new commands into existing one with few modifications. A very small example of the SQL vulnerability can be shown with the following string with the username/password fields: ' or ''='. The SQL statement would then be executed as: SELECT * FROM tableusers WHERE Username='' or ''='' and Password = '' or ''='' Ross Overstreet, 81

4 The result of this query will be all records from the tableusers, and the hacker can proceed to log the user in as the record will be matched from the database. So, to protect our database with SQL injections, we should validate all the inputs before execution of SQL statement(s). We have to implement precautionary steps before the execution of the queries. We should test the size and data type of our inputted data. Instead of direct queries always use stored procedures and validate the input before execution. We should also use type-safe SQL parameters. From the developers point of view they should avoid the test queries to catch the exceptions and display them on screen. It is very much used by the hackers for injecting the malicious data into SQL queries. Another thing is related to the permission. If any user requires only read only access then never permit them any other type of permissions like insert or update queries9. G. Scanning and Access of WSDL WSDL provides an interface to the web services. WSDL contains information related to the technology, methods and the pastern of invoking the web services. Technically we can say that WSDL explains logical and concrete information of web services. This information s are very important and should be well protected. We should avoid leaving opening the unwanted methods and function, because they may lead to disaster of any web service10. If any attacker is able to scan the WSDL and access them, then it may lead to injection of malicious contents, tampering of data etc. H. Identity Spoofing Spoofing means the act of making fool. Spoofing is the most common attack type for the system which is using user credentials. Identity spoofing defines the illegal or unauthorized access of user s credentials through web services. The concept of spoofing identity means allowing unauthorized access to the attacker by someone else s identity. If attackers get identity of an administrator or any other higher privileged user then they can damage all the data. We can secure our web services by using strong secure authentication mechanism and strong user s credentials. Use strict XML schemas for verification purpose. III..NET WEB SERVICE SECURITY.Net technology provides very good security features to its Integrated Development Environment (IDE). In protecting the web applications and web services IIS plays a very crucial role. Security mechanism provided by IIS can be grouped into following basic category: Logging, Fault isolations, Access control and Message protection. A. Logging IIS is not directly responsible for security auditing but its logging facility helps up to some extent. If IIS is configured for logging, it can log the information in a textual format about all the HTTP requests. It keeps it into %winnt%\system32\logfiles\w3svc<n>, where <n> indicates the total number of web site instance11. B. Fault Isolation Fault isolation means identifying the root cause of any problem. It is sometime also called as Fault diagnosis. Fault isolation is a part of security mechanism group which involves fault detection, fault isolation and recovery. This security mechanism is known as service stability and sometimes service continuity. IIS does not provide fully service continuity but it can manage it via configuring the application in virtual directories with these available options: a) IIS process InetInfo.exe handles all HTTP requests to the files in virtual directory. But it doesn t provide fault isolation system. If by any means the handler is crashed then IIS itself crashes. b) Pooled This is the option in which all the requests run in the same process. An account IWAM_<machinename> controls each of the processes which are run by IIS. It provides the best performance. If a web application goes down with any reason, it doesn t get down InetInfo.exe. c) Isolated It Executes each web application under its own process which runs under the IWAM_<machinename> account. Highest level of fault isolation is under this option. There is no chance to get down any web application due to any other faulty code application. But the performance is little bit slow as compared to Pooled. IV. SECURITY THROUGH WS-SECURITY 12 While there are various types of possible communications with a Web Services, SOAP is considered as the standard for communication. It can be simply SOAP over HTTP or we can say that a SMTP transfers the SOAP message packed in an e- mail. Web services have to be much suitable to provide secure communication if they are trying to get success in e-business. In case of normal SOAP techniques there is nothing like providing solutions to security, but they can work together with SSL, IPSec to overcome with the lack of security. They can provide standard transport security. We can define WS-Security as extension of SOAP to implement the authentication, integrity of message and confidentiality of message for the clients. So, we can say that WS-Security is not inventing any new techniques but they are providing a way how to use the existing technologies with SOAP to secure the communication of web services. It has provided some protocols to follow for signatures, encryption and authentication mechanisms. It has

5 one important benefit that it can work in combination of other extensions. Following is an example of SOAP message using security header: <SOAP:Envelope xmlns:soap="..."> <SOAP:Header> <wsse:security SOAP:role="..." SOAP: mustunderstand="..."> <wsse:usernametoken>.. </wsse:usertoken>... </wsse:security> </SOAP:Header> <SOAP:BodyId="MessgBody">  </SOAP:Body> </SOAP:Envelope> Here in the above code the header element of SOAP message is modified to provide WS-Security. Each elements can be placed inside the <Security> tags. V. TIPS TO MAKE WEB SERVICES SECURE There are many things to keep in mind while deploying a web service. Some basic things are: To secure our web services we have to limit the users who can access the service and who can t access the service. We can authenticate the users by HTTP authentication. We can also limit the IP addresses that are authorized to access your web server. Set Grant permission from the IP Address and Domain Name Restrictions window. We should try to disable HTTP POST/GET protocols. We can remove these from the web.config file in Visual Studio.NET: <webservices> <protocols> <remove name="httppost" /> <remove name="httpget" /> </protocols> </webservices> We should always use tcptrace to View SOAP Request and Response Messages. Always avoid inline queries in the code. We should store Application-Specific settings in the Web.Config file instead of Global.asax file. Use global error handlers. There are XML-aware firewalls which should be used to provide a solution against XML based attacks. Use XML digital signature and encryption mechanism to prevent damage. Use Code Access Security. In CAS there are elements like Code, Evidence, Permissions, Policy and Code groups. We should analyze each and every point to make secure code access. Use cryptographic algorithms and protocols to protect data from unauthorized alteration. Ensure the accountability. Implementation of security administration. It defines the security policies. To establish trust between client and target components implement security association. VI. CONCLUSION As the numbers of computer systems are increasing day by day, it is increasing the complexity and challenges of authentication and authorization. Now days lots of money is flowing over the internet, risk to the web services are also increasing, we have to think about the security of web service and also to the web server. Unlimited numbers of Trojans, spywares are moving around to find out some loop wholes to breach the security and to disaster of data. Web services and web servers share very complex functionality sets, and hence we should first think about the security. There are many options like IIS based, SSL based, ASP.net based authentication and authorizations and other security measures available. Digital signature, encryption techniques and PKI etc. are available to use. We have to think about strong XML encryption, SQL injections, unauthorized access of service, importance of configuration data etc. If we are able to implement strong cryptography mechanisms, analyze the major threats and we can follow the tips then we can make a web service which is secure to perform secure transactions. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] 83

6 [12] [13] [14] [15] Microsoft Developer Network [16] An Oracle White Paper June 2009, Securing Web Services and Service- Oriented Architectures with Oracle Web Services Manager 11g [17] Dorrans Barry, Beginning ASP.NET Security, Wrox publications. [18] Evjen Bill, Hanselman Scott, Muhammad Farhan, Sivakumar S. Srinivasa, Rader Devin, Professional ASP.NET 2.0, Wrox publications. [19] Parsons Andrew, Randolph Nick, Professional Visual Studio 2005, Wrox publications [20] Short Scott, Building XML Web Services for the Microsoft.NET Platform, Wrox publications [21] Ferrara Alex, MacDonald Matthew, Programming.NET Web Services, Oreilly 84