I was talking to my colleague, Dr. Ronan Bradley, the other day and I suddenly got worried about a potential SOA security hole.
As we all know, SOA systems tend to operate with XML data streams, for example when invoking web services. XML is a self-defining mechanism for data, with pointers and references to ensure the data format can be understood by anyone else. However, it is possible to cross-refer to different parts of the XML stream in such a way that the process becomes recursive. In other words, the parsing process to decode the XML information will loop.
My concern here is that this might offer an opportunity for a Denial of Service (DoS) attack. That is, a malicious party might deliberately send a message containing recursive XML, in the hope of causing the XML parser to loop, thereby blocking any other activity. I am not technically up-to-date enough on the various parsers available in the industry to know for sure, but if the parser does not have some sort of fail-safe then this form of attack would definitely seem to be possible.
The standard way to protect systems from outside attack in the case of the internet is to have a security ‘sniffer’ at the boundary of the enterprise that watches incoming data and looks for threat signatures – that is, characteristics that occur in known threats and threat types. But the problem with the XML thing is that the only way to see if the XML is recursive is to parse it, thereby running in to the problem.
Perhaps this is old news, and the industry has already sorted the problem – but if it has, neither I nor my colleagues are aware of it. It is at least worth SOA adopters, and web services users for that matter, assuring themselves that they are protected from this potential SOA security exposure.