IBM®
Skip to main content
    United States change      Terms of use
 
 
Select a scope:    
     Home      Products      Services & industry solutions      Support & downloads      My account     
alphaWorks  >  Privacy and security  >  

Web Services Interface Definition for Intrusion Defense

An Eclipse plug-in that validates the WSDL interface specification of a Web service, flagging any interface feature that could open a door to hacker attacks against that service.


Date Posted: January 18, 2005
OverviewRequirements Download FAQs Forum Reviews

What is Web Services Interface Definition for Intrusion Defense?

Web Services Interface Definition for Intrusion Defense (WSID4ID) is an Eclipse plug-in that validates the Web Service Description Language (WSDL) interface specification of a Web service, flagging any interface feature that could open a door to hacker attacks against that service. The technology is designed as an extension to the open-source WSDL validation plug-in, which is provided as part of Web Services Validation Tools (WSVT).

Using the WSVT WSDL validator, an Eclipse user may right-click on a WSDL file to validate its syntactic correctness. If this syntactic validation succeeds, the WSVT WSDL validator in turn invokes the WSID4ID plug-in. This new validator walks through the file and any nested WSDL or XML Schemas Definition (XSD) files it imports, checking for interface features that could open attack paths that hackers could use against the Web service defined by the WSDL file(s) being validated.

How does it work?

The features it looks for and flags in the WSDL file and any file it imports correspond to interface design aspects that have been known as dangerous ever since the dawn of programming, even more so since the advent of distributed programming, especially Web programming paradigms such as CGI scripts, servlets, Web services, etc. These dangerous features all correspond to certain XSD constructs that should be avoided for the sake of intrusion defense. These constructs include the following:

  • Use of any, anyType, or anySimpleType elements
  • The XSD maxOccurs attribute should not be unbounded on any element declaration.
  • The use of XSD list types
  • The use of XSD complexTypes with mixed content
  • None of the built-in XSD simpleTypes should be used without restrictions in SOAP messages.

The XSD language even allows definition of restricted string types in which certain characters are illegal. This capability should be used by Web service designers to rule out such characters as line feeds, carriage returns, semicolons, escapes, and other special characters typical of executable languages in input strings (such as file names) that will be composed internally with others strings in order to form commands to back-end systems. In this way the designers can defend against so-called in-line command injection attacks. Where such restrictions are not specified in a WSDL file, the tool suggests them to remind designers of the risk of in-line command injection attacks and encourage them to specify interfaces that will resist such attacks.

Once a WSDL file (and any nested files it imports) passes all the checks, it defines a "safe" interface that is guaranteed to resist any of the trivial hacker attacks mentioned above. Of course, it is then the reponsibility of the programmer to implement the corresponding input validation instructions in the Web service code as a matter of basic programming practice.


About the technology author(s):
Phil Janson earned a B.S. in Electrical Engineering from the University of Brussels, as well as M.S., E.E., and Ph.D. in Computer Science from M.I.T. From 1976 to 1996, he held a tenured lecturer position in Operating Systems at the University of Brussels. In 1977, he joined the IBM Zurich Research Lab, where he worked initially on high-speed packet switches and the IBM Token Ring. In 1986, Dr. Janson worked on OS/2 LAN gateways at the IBM Development Lab in Austin. Back in Zurich in 1987, he managed several projects on heterogeneous networking and security. In 1995 he became head of a new Computer Science Department at the IBM Zurich Lab, which he built up until 1999, with a focus on IT security technologies, smart cards, pervasive computing, and e-business.

In 1995 Dr. Janson was elected to the IBM Academy of Technology, of which he was Vice President in 2000 and 2001, serving at the same time as Program Manager for University Relations at the Zurich Lab. In 2001 he also became a member of the Advisory Board of the Communication Systems Dept. of the EPFLausanne and was elected to the Research Council of the Swiss National Foundation. From 2002 to 2004, he returned to an active research career as Senior Technical Staff Member, working on Web services security. He is presently Program Manager for Services Research Assets.

Dr. Janson holds several patents and wrote over 50 papers in the areas of IT security and distributed systems as well as a book on Operating Systems. He received a Harkness Fellowship from the Commonwealth Fund of New York in 1972 and a number of IBM Invention and Outstanding Technical Contribution Awards since then. He is a member of the ACM and of the IEEE Computer Society.
Download now Download now

Related technologies

For platform(s):
Multi-Platform

For topics:
WSDL, hacker attacks


Related resources

Press Articles
 

    About IBM      Privacy      Contact