Hackers targeting web services

In their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, warned security researcher Alex Stamos at the recent CanSecWest/core06 conference in Vancouver.

During a presentation, Stamos outlined how a number of Web services technologies, including the AJAX and the XQuery query language, could be exploited by hackers to dig up secret information and attack systems.

While Web services’ cross-platform capability can simplify programming, it can also create security risks by creating situations that may not have been anticipated by software developers, said Stamos, a founding partner of Information Security Partners LLC, San Francisco. He described an attack where a user could enter malicious code in a Web form and then get that code to run by calling up the company’s customer service number and tricking a representative into inadvertently executing it.

Stamos also showed how Web services requests could be used to conduct denial of service attacks, either by creating malicious XML queries that use massive amounts of memory, or by bombarding databases applications with more requests than they can handle.

Web application vendors have created tools that work like “magic,” hiding complexity and making it very easy to create Web services. Unfortunately, these tools also make it easy for their users to ignore the security implications of the software they’re building, Stamos said. “Because of all that magic pixie dust, the people who write Web services don’t necessarily understand how they work,” he said. “We have a lot of customers who are hanging unbelievably crazy functionality… just out on the Internet.”

And hackers are catching on. Symantec Corp.’s biannual Internet Security Threat report noted that of all vulnerabilities disclosed in the last six months of 2005, nearly 70 percent were associated with Web applications.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now