by Luke Marshall • November 2, 2022
Cybersecurity is one of the top concerns for businesses today. Vulnerabilities make the news when they turn into expensive breaches. With the cloud so prevalent in today’s digital landscape, much attention has turned to API security. Network attacks aimed at APIs increased by an incredible 681% in 2021. The years leading up to that had also seen steady increases, so the concern is well-founded. However, businesses are rapidly responding to the crisis, and they’re doing that by hardening API security and implementing thorough testing practices. Considering the continued popularity of SOAP (simple object access protocol) APIs, it is now a top priority for global IT leaders to learn SOAP’s best security practices. SOAP APIs have unique security concerns compared to REST APIs. How are businesses closing the gap and improving API security for SOAP? How can you protect your business and your clients and secure your APIs from threats? This article will explain SOAP security, examine common risks, and help you follow the best practices that can protect you from data breaches and security problems.
Sign up for our free 14 day hosted trial to learn how.
SOAP is a messaging protocol popular in web service APIs. SOAP uses messages in the cross-platform XML (extensible markup language) format, bridging the gaps between otherwise-incompatible systems and servers. Originally developed by Microsoft, SOAP is now an open web services standard. Unlike REST (representational state transfer), which can use programming languages like JSON and various protocols, SOAP is limited to sending XML over HTTP or SMTP. As one of the oldest methods for exchanging data on the internet, SOAP has developed a robust set of security standards over the years. SOAP security is primarily concerned with preventing unauthorized access to messages and the information contained within. The standard protocol used to accomplish this is WS-Security (Web Standards Security) specification. WS-Security (Web Services Security or WSS) is a set of principles to enforce the confidentiality and authentication procedures for SOAP messaging. WS-Security-compliant practices include using passwords, X.509 certificates, digital signatures, and XML encryption, among other things. XML encryption causes the data to be unreadable to unauthorized users. While WS-Security, and the SOAP protocol itself, are mature products with solid security, you need to keep in mind their role in your systems infrastructure. SOAP APIs carry a message from one system to its destination endpoint. Even though the message may be securely transmitted and received, the actions that follow after that payload has been received may cause a security breach. Understanding the risks in SOAP security is key to ensuring your organization does all it can to stay safe.
Cybersecurity is on the list of top concerns of modern businesses. Per one source, the average monetary loss of malware attacks on companies is $2.4 million. According to the same report, up to 21% of files have no security measures or protections in place at all. This leaves these companies’ data prone to attacks. It also puts the devices that employees use at risk for malware attacks. SOAP messages often contain sensitive data. Messages could contain financial data, employee records, and other info you need to keep safe. Keeping it from falling into the wrong hands takes on a high priority. WS-Security and SOAP security best practices add a layer of security to the API’s infrastructure and protect your customers, employees, and intellectual property.
There are many different kinds of cybersecurity vulnerabilities and attacks, and some are uniquely aimed at APIs. A few of these are code injections, DoS (Denial of Service) attacks, breached or leaked access/authorization, XSS (cross-site scripting), and session hijacking. Some are message-level attacks, while others try to exploit the transport layer. Here’s a look at how these exploits apply to a SOAP request.
Code injections introduce malicious code into the database or application itself. SQL injection is a method of including malicious commands in a database query. Similarly, malicious code can be inserted into XML content for delivery in a SOAP message. The only way to prevent code injections is with careful access control. Do not grant elevated privileges to processes that receive and interpret SOAP XML data. Typically, these processes will only be able to insert data into a database and not run any administrative commands.
Most attacks, including code injections, start with breached or leaked access. Ensuring SOAP messages are revealed only to the correct user is a critical part of SOAP security. As with preventing code injection attacks, limiting what can be done with a received SOAP message is important.
A Denial of Service or Distributed Denial of Service (DDoS) attack overwhelms and disrupts a web service with too many messages or messages that are too long. SOAP security includes measures that can make DoS attacks impossible by limiting the length and volume of messages.
Cross-site scripting is another form of code injection, but more specifically, it occurs when someone injects malicious browser-side script into the website through the web application. While the SOAP message may pass security checks, you should ensure that any actions triggered by receipt of the message are secure.
Session hijacking is another failure of access control. It occurs when an unauthorized user obtains a session ID from another user. The unauthorized user then can access the application and get underlying data they should not have. Strict adherence to WS-Security protocols is your best defense against session hijacking.
There are some basic procedures and practices that you can add to SOAP to help prevent unauthorized access. To create a secure SOAP web service, you need to add a security layer through the SOAP header. You can read more about how to do this here. By adding the username and password as variables, each time you generate a SOAP message, the header will now include these credentials. Now whenever a user calls the web service, the username and password are required. This is just one way to secure a SOAP web service. Other methods involve encrypting the SOAP message via X.509 certificates or authentication via services like Kerberos.
Since web services are essential to today’s digital landscape, you should implement SOAP security best practices now. This includes regular testing, IAM (identity and access management), request monitoring, input validation, and redundant security standards.
You can perform various tests to ensure that your API will stand up to any possible threats and find any vulnerabilities that attackers might exploit. Two of the most popular types of tests are fuzz testing and injection testing. How To Use Fuzz Testing: Fuzz testing is the process of sending invalid or random data to a software system to see how it reacts. In the process, you discover coding errors and security issues. In the case of SOAP, you can use fuzz testing to determine how the API reacts to unexpected input. One tool you can use for this is Protocol Fuzzer, formerly known as the Peach Fuzzer. Companies and government agencies widely use Protocol Fuzzer to help avoid zero-day attacks through fuzz testing. It has a wide range of functionality that will help you automate the process of sending unexpected input to the API to see if and when it breaks. You can use injection testing to detect vulnerabilities where a hacker might introduce malicious code. How To Use Injection Testing: Injection testing is done by injecting a test set of malicious code and seeing the results. An example is to see if SQL included in a SOAP API’s XML message is processed by the receiving system. You would want to test this on a sample database or table—for instance, by seeing if the included SQL statement can delete the table or even the entire database.
Identity and access management is one of cybersecurity’s most basic and essential concepts. It includes everything from passwords and usernames to advanced authentication techniques. All organizations should practice good IAM across all their systems and perform regular user management policies and procedures audits. Strong IAM policies prevent unauthorized users from accessing the application at the wrong time or stealing another user’s session token and hijacking the session. How To Use IAM: Some platforms can track what information and tools your web service sends to which members of your organization (RBAC, or role-based access control). Another part of IAM is single sign-on (SSO), which is pretty easy to add to your web service. One example of this in action is AWS (Amazon Web Services). AWS implements IAM for SOAP in Amazon S3.
Monitoring requests and SOAP messaging for any abnormalities is another essential security activity. Request monitoring makes it much more likely that you will see and be able to solve vulnerabilities or data leaks quickly. How To Use Request Monitoring: In order to monitor requests, you will require some kind of logging system that you can regularly check for any irregularities. A popular request monitoring option is the Apache Software Foundation‘s SOAP monitor. This tool can check the validity of requests and responses, among other things.
There are two aspects of input validation for SOAP: schema compliance validation and SOAP response validation. Schema compliance validation ensures that the message follows XML schema and the WSDL (web service description language) guidelines. SOAP response validation ensures that the response to your message is in the correct format. How To Use Input Validation: You can use both methods above to discover irregular messaging or simply avoid errors. They are essentially built into the SOAP protocol itself. SoapUI, which provides a wide range of API testing tools, offers services for validating messages according to SOAP and WSDL protocols. Its website provides tutorials on its usage.
WSDL, XML document standards, and SOAP standards overlap in many places. These redundant security standards give a level of insurance obtained by a few other systems. Redundant security standards mean that you have less chance of exposing data and more chance of discovering vulnerabilities before hackers exploit them. How To Use Redundant Security Standards: Explore options for API management that implement multiple security standards and apply all of the best practices mentioned above. The DreamFactory API management services can implement various security measures and standards for all your SOAP security needs.
Ideal SOAP security requires professional help and regular monitoring. This is just one of the many reasons why companies turn to DreamFactory. Our team of developers and engineers understand the risks of transmitting and receiving APIs. We know that regular API testing is an integral part of cybersecurity in this era of microservices, web services, and cloud computing. We provide extensive SOAP services to help you secure and manage your APIs and SOAP messaging. Contact us today for more information on how you can improve your SOAP security with DreamFactory. Start your free 14-day trial and see why we provide the most comprehensive API management platform.
Join the DreamFactory newsletter list.