Web Services Interface Definition for Intrusion Defense (WSID4ID) is a recent release from alphaWorks emerging technologies. The IBM WSID4ID tool is "an Eclipse plug-in that validates the Web Service Description Language (WSDL) interface specification of a Web service, flagging any interface feature that could open a door to hacker attacks against that service."
Freely available for download, the WSID4ID software package requires Eclipse 3.0 and the WSDL validator from the Eclipse Web Service Validation Tools (WSVT), either the whole WSVT package or just the WSDL validator. It was developed and tested on Windows XP, but should run on Windows, Linux, UNIX, or any other platform on which Eclipse runs.
Eclipse, hosted at Eclipse.org by the Eclipse Foundation, is "an open platform for tool integration built by an open community of tool providers. Operating under a open source paradigm, with a common public license that provides royalty free source code and world wide redistribution rights, the eclipse platform provides tool developers with ultimate flexibility and control over their software technology. Eclipse has formed an independent open eco-system around royalty-free technology and a universal platform for tools integration."
WSID4ID has been developed by IBM Web services security expert Phil Janson. The tool was designed as an extension to the open-source WSDL validation plug-in, which is provided as part WSVT. "Using the WSVT WSDL validator, an Eclipse user may right-click on a WSDL file to validate its syntactic correctness. If this syntactic validation succeeds, the WSVT WSDL validator in turn invokes the WSID4ID plug-in. This new validator walks through the file and any nested WSDL or XML Schemas Definition (XSD) files it imports, checking for interface features that could open attack paths that hackers could use against the Web service defined by the WSDL file(s) being validated."
WSID4ID detects and flags security risk features in the WSDL file and any file it imports. Such features represent interface design aspects "that have been known as dangerous ever since the dawn of programming, even more so since the advent of distributed programming, especially Web programming paradigms such as CGI scripts, servlets, Web services, etc. These dangerous features all correspond to certain XSD constructs that should be avoided for the sake of intrusion defense."
In the WSID4ID implementation the identified XSD features include: (1) the use of any, anyType, or anySimpleType elements; (2) the XSD maxOccurs attribute should not be unbounded on any element declaration; (3) the use of XSD list types; (4) the use of XSD complexTypes with mixed content; (5) none of the built-in XSD simpleTypes should be used without restrictions in SOAP messages.
According to the developer's documentation, the XSD language "even allows definition of restricted string types in which certain characters are illegal. This capability should be used by Web service designers to rule out such characters as line feeds, carriage returns, semicolons, escapes, and other special characters typical of executable languages in input strings (such as file names) that will be composed internally with others strings in order to form commands to back-end systems. In this way the designers can defend against so-called in-line command injection attacks. Where such restrictions are not specified in a WSDL file, the WSID4ID tool suggests them to remind designers of the risk of in-line command injection attacks and encourage them to specify interfaces that will resist such attacks."
Using the WSID4ID validation process, once a WSDL file and any nested files it imports passes all the checks, "it defines a 'safe' interface that is guaranteed to resist trivial hacker attacks; it is then the reponsibility of the programmer to implement the corresponding input validation instructions in the Web service code as a matter of basic programming practice."
About WSVT
"The Web Service Validation Tools Project provides a set of Eclipse plugins to validate and analyze Web services with respect to the core Web services specifications and their usage together. This includes plugins to assist in determining if a Web service conforms to the guidelines and requirements defined in the WS-I Basic Profile 1.0..."
"A general purpose WSDL 1.1 validator is provided with an extensible mechanism. Validation occurs on the XML syntax, XML Schema types in the <types> section, and referential integrity of the various constructs in WSDL (e.g., reference of messages from operations). The validator includes an extensions point to allow other validators to be plugged into the WSDL validation to provide additional verification of the WSDL file. Currently the WSVT project includes three extension validators (for the HTTP, SOAP and MIME namespaces) in the WSDL validator component and provides a plugin that implements the extension point to validate against the WS-I Basic Profile 1.0..."
"The WSDL Validator Plugin (org.eclipse.wsdl.validate) provides three levels of validation of a WSDL document. First, the WSDL validator ensures that the document is XML conformant, second it validates the document against the WSDL 1.1 specification and third, if a WS-I validator is available, it validates the document for compliance to a WS-I profile. There is an extension point to hook extension validators for other namespaces into the WSDL validator. The WSDL validator comes with three extension validators for the HTTP, MIME and SOAP namespaces respectively..."
Principal references:
- WSID4ID Overview
- Platform Requirements for WSID4ID
- Author bio for [developer] Phil Janson
- IBM alphaWorks Labs
- eclipse.org web site
- Eclipse Web Service Validation Tools (WSVT)
- WSVT Developer FAQ
- W3C Web Services Description Working Group
- WS-I Basic Profile
- "Web Services Interoperability Organization (WS-I)" - Main reference page.