Understanding SOAP Security
by Terence Bennett • July 3, 2023Cybersecurity is one of the top concerns for businesses today. Vulnerabilities make the news when they turn into expensive breaches. With the cloud so prevalent in today's digital landscape, much attention has turned to API security. Network attacks aimed at APIs increased by an incredible 681% in 2021. Considering the continued popularity of SOAP (simple object access protocol) APIs, it is now a top priority for global IT leaders to learn SOAP's security best practices.
SOAP APIs have unique security concerns compared to REST APIs. How are businesses closing the gap and improving API security for SOAP? How can you protect your business and your clients and secure your APIs from threats? This article will explain SOAP security, examine common risks, and help you follow the best practices that can protect you from data breaches and security problems.
Here's the key things to know about SOAP security:
- SOAP (Simple Object Access Protocol) is a messaging protocol used for exchanging structured information between web services.
- Security is crucial in SOAP-based applications to protect sensitive data, ensure message integrity, authenticate and authorize users, and prevent unauthorized access.
- Common security threats in SOAP-based applications include code injections, breached or leaked access/authorization, denial-of-service (DoS) attacks, cross-site scripting (XSS), and session hijacking.
- SOAP security involves implementing measures such as access control, limiting privileges, length and volume restrictions for messages, and adherence to WS-Security protocols.
- Building secure SOAP web services involves adding a security layer through the SOAP header, employing username and password credentials, encryption via X.509 certificates, and implementing SOAP security best practices such as regular testing, identity and access management, request monitoring, input validation, and redundant security standards.
What Is SOAP Security?
SOAP is a messaging protocol popular in web service APIs. SOAP uses messages in the cross-platform XML (extensible markup language) format, bridging the gaps between otherwise-incompatible systems and servers. Originally developed by Microsoft, SOAP is now an open web services standard. Unlike REST (representational state transfer), which can use programming languages like JSON and various protocols, SOAP is limited to sending XML over HTTP or SMTP. As one of the oldest methods for exchanging data on the internet, SOAP has developed a robust set of security standards over the years. SOAP security is primarily concerned with preventing unauthorized access to messages and the information contained within. The standard protocol used to accomplish this is WS-Security (Web Standards Security) specification. WS-Security (Web Services Security or WSS) is a set of principles to enforce the confidentiality and authentication procedures for SOAP messaging. WS-Security-compliant practices include using passwords, X.509 certificates, digital signatures, and XML encryption, among other things. XML encryption causes the data to be unreadable to unauthorized users. While WS-Security, and the SOAP protocol itself, are mature products with solid security, you need to keep in mind their role in your systems infrastructure. SOAP APIs carry a message from one system to its destination endpoint. Even though the message may be securely transmitted and received, the actions that follow after that payload has been received may cause a security breach. Understanding the risks in SOAP security is key to ensuring your organization does all it can to stay safe.
Why Is SOAP Security Important?
Cybersecurity is on the list of top concerns of modern businesses. Per one source, the average monetary loss of malware attacks on companies is $2.4 million. According to the same report, up to 21% of files have no security measures or protections in place at all. This leaves these companies' data prone to attacks. It also puts the devices that employees use at risk for malware attacks. SOAP messages often contain sensitive data. Messages could contain financial data, employee records, and other info you need to keep safe. Keeping it from falling into the wrong hands takes on a high priority. WS-Security and SOAP security best practices add a layer of security to the API's infrastructure and protect your customers, employees, and intellectual property.
Common SOAP Security Risks
There are many different kinds of cybersecurity vulnerabilities and attacks, and some are uniquely aimed at APIs. A few of these are code injections, DoS (Denial of Service) attacks, breached or leaked access/authorization, XSS (cross-site scripting), and session hijacking. Some are message-level attacks, while others try to exploit the transport layer. Here's a look at how these exploits apply to a SOAP request.
Code Injections
Code injections introduce malicious code into the database or application itself. SQL injection is a method of including malicious commands in a database query. Similarly, malicious code can be inserted into XML content for delivery in a SOAP message. The only way to prevent code injections is with careful access control. Do not grant elevated privileges to processes that receive and interpret SOAP XML data. Typically, these processes will only be able to insert data into a database and not run any administrative commands.
Breached or Leaked Access/Authorization
Most attacks, including code injections, start with breached or leaked access. Ensuring SOAP messages are revealed only to the correct user is a critical part of SOAP security. As with preventing code injection attacks, limiting what can be done with a received SOAP message is important.
Denial of Service (DoS or DDoS) Attack
A Denial of Service or Distributed Denial of Service (DDoS) attack overwhelms and disrupts a web service with too many messages or messages that are too long. SOAP security includes measures that can make DoS attacks impossible by limiting the length and volume of messages.
Cross-Site Scripting (XSS)
Cross-site scripting is another form of code injection, but more specifically, it occurs when someone injects malicious browser-side script into the website through the web application. While the SOAP message may pass security checks, you should ensure that any actions triggered by receipt of the message are secure.
Session Hijacking
Session hijacking is another failure of access control. It occurs when an unauthorized user obtains a session ID from another user. The unauthorized user then can access the application and get underlying data they should not have. Strict adherence to WS-Security protocols is your best defense against session hijacking.
How To Build Secure Web Services
There are some basic procedures and practices that you can add to SOAP to help prevent unauthorized access. To create a secure SOAP web service, you need to add a security layer through the SOAP header. You can read more about how to do this here. By adding the username and password as variables, each time you generate a SOAP message, the header will now include these credentials. Now whenever a user calls the web service, the username and password are required. This is just one way to secure a SOAP web service. Other methods involve encrypting the SOAP message via X.509 certificates or authentication via services like Kerberos.
SOAP Security Best Practices
Since web services are essential to today's digital landscape, you should implement SOAP security best practices now. This includes regular testing, IAM (identity and access management), request monitoring, input validation, and redundant security standards.
Regular Testing
You can perform various tests to ensure that your API will stand up to any possible threats and find any vulnerabilities that attackers might exploit. Two of the most popular types of tests are fuzz testing and injection testing. How To Use Fuzz Testing: Fuzz testing is the process of sending invalid or random data to a software system to see how it reacts. In the process, you discover coding errors and security issues. In the case of SOAP, you can use fuzz testing to determine how the API reacts to unexpected input. One tool you can use for this is Protocol Fuzzer, formerly known as the Peach Fuzzer. Companies and government agencies widely use Protocol Fuzzer to help avoid zero-day attacks through fuzz testing. It has a wide range of functionality that will help you automate the process of sending unexpected input to the API to see if and when it breaks. You can use injection testing to detect vulnerabilities where a hacker might introduce malicious code. How To Use Injection Testing: Injection testing is done by injecting a test set of malicious code and seeing the results. An example is to see if SQL included in a SOAP API's XML message is processed by the receiving system. You would want to test this on a sample database or table—for instance, by seeing if the included SQL statement can delete the table or even the entire database.
Identity and Access Management
Identity and access management is one of cybersecurity's most basic and essential concepts. It includes everything from passwords and usernames to advanced authentication techniques. All organizations should practice good IAM across all their systems and perform regular user management policies and procedures audits. Strong IAM policies prevent unauthorized users from accessing the application at the wrong time or stealing another user’s session token and hijacking the session. How To Use IAM: Some platforms can track what information and tools your web service sends to which members of your organization (RBAC, or role-based access control). Another part of IAM is single sign-on (SSO), which is pretty easy to add to your web service. One example of this in action is AWS (Amazon Web Services). AWS implements IAM for SOAP in Amazon S3.
Request Monitoring
Monitoring requests and SOAP messaging for any abnormalities is another essential security activity. Request monitoring makes it much more likely that you will see and be able to solve vulnerabilities or data leaks quickly. How To Use Request Monitoring: In order to monitor requests, you will require some kind of logging system that you can regularly check for any irregularities. A popular request monitoring option is the Apache Software Foundation's SOAP monitor. This tool can check the validity of requests and responses, among other things.
Input Validation
There are two aspects of input validation for SOAP: schema compliance validation and SOAP response validation. Schema compliance validation ensures that the message follows XML schema and the WSDL (web service description language) guidelines. SOAP response validation ensures that the response to your message is in the correct format. How To Use Input Validation: You can use both methods above to discover irregular messaging or simply avoid errors. They are essentially built into the SOAP protocol itself. SoapUI, which provides a wide range of API testing tools, offers services for validating messages according to SOAP and WSDL protocols. Its website provides tutorials on its usage.
Redundant Security Standards
WSDL, XML document standards, and SOAP standards overlap in many places. These redundant security standards give a level of insurance obtained by a few other systems. Redundant security standards mean that you have less chance of exposing data and more chance of discovering vulnerabilities before hackers exploit them. How To Use Redundant Security Standards: Explore options for API management that implement multiple security standards and apply all of the best practices mentioned above. The DreamFactory API management services can implement various security measures and standards for all your SOAP security needs.
SOAP Security with DreamFactory
Ideal SOAP security requires professional help and regular monitoring. This is just one of the many reasons why companies turn to DreamFactory. Our team of developers and engineers understand the risks of transmitting and receiving APIs. We know that regular API testing is an integral part of cybersecurity in this era of microservices, web services, and cloud computing. We provide extensive SOAP services to help you secure and manage your APIs and SOAP messaging. Contact us today for more information on how you can improve your SOAP security with DreamFactory. Start your free 14-day trial and see why we provide the most comprehensive API management platform.
Frequently Asked Questions: SOAP Security
What is SOAP?
SOAP (Simple Object Access Protocol) is a messaging protocol used for exchanging structured information between web services. It provides a standardized format for communication, including the use of XML for message encapsulation.
Why is security important in SOAP-based applications?
Security is crucial in SOAP-based applications to protect sensitive data, ensure the integrity of messages, authenticate and authorize users, prevent unauthorized access, and establish a secure communication channel between web services.
What are some common security threats in SOAP-based applications?
Common security threats in SOAP-based applications include unauthorized access, information disclosure, message tampering, replay attacks, XML injection, and denial-of-service (DoS) attacks. These threats can compromise the confidentiality, integrity, and availability of the application and its data.
What are the key security features provided by SOAP?
SOAP provides several security features, including encryption and digital signatures for data confidentiality and integrity, authentication mechanisms such as username/password or X.509 certificates, message-level security with WS-Security, and transport-level security with protocols like SSL/TLS.
How does transport-level security work in SOAP?
Transport-level security in SOAP involves securing the underlying communication channel, such as using SSL/TLS protocols. It ensures that data transmitted between the client and server remains confidential and protected against interception or eavesdropping.
What is SOAP security?
SOAP security refers to the implementation of security measures and mechanisms within SOAP-based applications. It encompasses various techniques and protocols aimed at safeguarding data, authenticating users, securing message integrity, and protecting against security threats.
Why is SOAP security important?
SOAP security is important because it helps maintain the confidentiality, integrity, and availability of data transmitted between SOAP-based applications. It safeguards sensitive information, prevents unauthorized access, ensures message authenticity, and protects against potential security vulnerabilities and attacks.
Related Reading
How Do You Test a SOAP and REST Service?
REST and SOAP are two critical web services technologies that revolutionize how businesses use APIs. Since APIs are so common, it's important to test them regularly to find vulnerabilities or potential operating problems within the web service. To test a SOAP or REST service, you can use tools like ... Continue reading
Terence Bennett, CEO of DreamFactory, has a wealth of experience in government IT systems and Google Cloud. His impressive background includes being a former U.S. Navy Intelligence Officer and a former member of Google's Red Team. Prior to becoming CEO, he served as COO at DreamFactory Software.