Can Web Services Be Secure?
At JavaOne 2005 I attended a session called "Web Services Security Attacks in Action." Since that time I've had some concerns in the back of my mind. Lately I've been thinking about this even more since both I and others are using Web Services more and more. My main concern surrounds stopping DOS attacks. Let me explain by starting with my experiences by just using XML overall. Over the past few years I've had the unfortunately job of having to parse large XML files to pull data I required. During this time I've worked with both SAX and DOM parsers.
When I say large I mean 5 — 10 MB in size large. I learned right away why a developer uses SAX instead of DOM. This became very obvious to me when the development server I was using started hanging because of "OUT OF MEMORY" errors. Those errors led me to stop using DOM. However, there were times when using SAX when I would get the same type of errors because of a very large data element or attribute being passed to the application. This was solved because I had the ability to control the client in question and force it to validate against a schema before calling my batch program on the server side.
With Web Services how does a developer protect an application from a DOS attack? A malicious user that can call a Web Service over the Internet could easily submit a bogus SOAP request to that Web Service. Inside that request could be an element or attribute that is megabytes in size. If a number of these types of requests were to happen I would assume that a server could easily be hung. I've heard that "XML Aware" hardware exists that could stop such an attack but how many organizations, especially small businesses, use these types of devices? I would assume that this concern has been addressed in some way since Web Services have become so prolific but I don't hear much about it. Is this a real threat that just hasn't been exploited or am I overly concerned about nothing? I'm not sure what the answer is but when I work on projects that require Web Services on the Internet I do it with caution.