[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: RE: SOAP-RPC and REST and security

• To: Mike Champion <mc@x...>
• Subject: Re: RE: SOAP-RPC and REST and security
• From: Al Snell <alaric@a...>
• Date: Thu, 21 Feb 2002 01:00:48 +0000 (GMT)
• Cc: <xml-dev@l...>
• In-reply-to: <US3W07737107C9623ZA9KG73WS4ID85.3c743f13@MChamp>

On Wed, 20 Feb 2002, Mike Champion wrote:

> the data gets there by SOAP-RPC, SOAP messaging, REST, CGI, or whatever.
> Probably *any* text-based message format (XML or URI) would seriously
> constrain a hacker's ability to put nasty code in that overflow.

Not so, I'm afraid - it's just as bad. IIS has had a lot of problems with
specially written URLs causing havoc... in particular, with text
encodings, a whole new class of problem has arisen: Unicode exploits!

> The strongest case I could make against SOAP and web security after reading
> this thread would be that it is relatively easy for a naive user of
> a web service generating wizard to expose some object as a web service
> that could be misused by a hacker out on the internet somewhere.

Indeed.

> Again,
> in retrospect, that would be true however the code code invoked, as
> a SOAP RPC request, a CGI script, or while processing a REST message.

Indeed.

ABS

-- 
                               Alaric B. Snell
 http://www.alaric-snell.com/  http://RFC.net/  http://www.warhead.org.uk/
   Any sufficiently advanced technology can be emulated in software

• References:
  • Re: RE: SOAP-RPC and REST and security
    • From: Mike Champion <mc@x...>

• Prev by Date: Re: SOAP-RPC and REST and security
• Next by Date: Re: SOAP-RPC and REST and security
• Previous by thread: Re: RE: SOAP-RPC and REST and security
• Next by thread: Re: SOAP-RPC and REST and security
• Index(es):
  • Date
  • Thread