Enterprise Integration Zone is brought to you in partnership with:

As the Technical Director, Europe for Layer 7 Technologies, Francois Lascelles advises global corporations and governments in designing and implementing secure SOA and cloud based solutions. Francois joined Layer 7 in its first days back in 2002 and has been contributing ever since to the evolution of the SecureSpan SOA infrastructure product line. Francois is co-author of Prentice Hall’s upcoming SOA Security book. Layer 7 Technologies is an Enterprise SOA and Cloud infrastructure provider. Follow me on twitter http://twitter.com/flascelles Francois is a DZone MVB and is not an employee of DZone and has posted 28 posts at DZone. You can read more from them at their website. View Full User Profile

The Importance of Threat Protection for RESTful Web Services

01.13.2013
| 4041 views |
  • submit to reddit

Although certain RESTful web services are of a ‘public’ nature and do not have specific security requirements such as authentication and authorization, any service that has an entry point from an untrusted network is subject to attack and proper threat protection measures are always an essential consideration.

RESTful web services are closely aligned to the web itself and as such inherit all traditional threats from the web. Although network level threats are well understood and addressed by traditional firewall infrastructure, RESTful web services type APIs are also subject to content (or message) level threats.

For example, consider APIs where XML payloads are POSTed and/or PUT from external requesters. A particularly dangerous threat was uncovered last summer involving a vulnerability in most XML parsing libraries used at the time. Any REST web service using those XML parsing libraries could have easily been crippled. In fact, I would expect many deployments out there still using vulnerable versions of those XML parsers today.

Despite fixes applied to parsing libraries to address such vulnerabilities, many potential content-level attacks continue to pose a threat. Consider for example external entity attacks, where a parser is tricked into resolving a resource from a malicious source. Also, SQL injections which were recently at the center of the largest data breach in US history . Many other threats specifically targeting XML enabled services exist such as recursive payloads, schema poisoning and coercive parsing to name a few.

Of course, REST is not bound to XML only. Threat protection for RESTful web services has to potentially consider a number of other content-type specific threats such as for JSON.

 

Published at DZone with permission of Francois Lascelles, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)