Attacking Web Services presented at SyScan 2005

by Alex Stamos,

Tags: Security Web

Summary : Web Services represent a new and unexplored set of security-sensitive technologies that have been
widely deployed by large companies, governments, financial institutions, and in consumer applications.
Unfortunately, the attributes that make web services attractive, such as their ease of use, platform
independence, use of HTTP and powerful functionality, also make them a great target for attack. In this
talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are
built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that
exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS,
etc..) can be retooled to work with the next-generation of enterprise applications. Strategies for properly
designing and protecting web service enabled applications will also be discussed.The speaker will also demonstrate some of the first-time publicly available tools for finding and
penetrating web service enabled systems.