XML Standards

How To Remove WS-Security Tokens From a SOAP Message

Mon, 14 Sep 2009 07:30:00 EDT

After you've validated a UsernameToken, or checked an XML Signature, it is often good practice to then strip out the WS-Security blocks containing items like tokens and signatures, before sending them downstream to a Web Service. In some cases, you are stripping these out because you don't want the password to remain in the message. In other cases, you may know that the downstream Web Service will choke on the WS-Security block. It also makes the message smaller.

Breaking XML to Optimize Performance

Wed, 29 Jul 2009 06:30:00 EDT

As XML becomes ubiquitous throughout the enterprise, it increasingly taxes the systems that must deal with it. Even though there are a wide range of hardware and software solutions coming to market that aim to alleviate XML's performance bottlenecks (See ZapThink's XML Proxies Report), many developers are nevertheless resorting to a variety of tactics to improve the performance of XML processing and transmission that are… well… creative. Many of these creative approaches simplify certain aspects of XML in order to squeeze document size, improve parser performance, and speed the mapping of XML document components to application objects.

I Can Has UR .htaccess File

Tue, 21 Jul 2009 14:30:00 EDT

Notice that isn’t a question, it’s a statement of fact

Twitter is having a bad month. After it was blamed, albeit incorrectly, for a breach leading to the disclosure of both personal and corporate information via Google’s GMail and Apps, its apparent willingness to allow anyone and everyone access to a .htaccess file ostensibly protecting search.twitter.com made the rounds via, ironically, Twitter.

This vulnerability at first glance appears fairly innocuous, until you realize just how much information can be placed in an .htaccess file that could have been exposed by this technical configuration faux pas.

Included in the .htaccess file is a number of URI rewrites, which give an interesting view of the underlying file system hierarchy Twitter is using, as well as a (rather) lengthy list of IP addresses denied access. All in all, not that exciting, because many of the juicy bits that could be configured via .htaccess for any given website are not done so in this easily accessible .htaccess file.

Some things you can do with .htaccess, in case you aren’t familiar:

Create default error document
Enable SSI via htaccess
Deny users by IP
Change your default directory page
Redirects
Prevent hotlinking of your images
Prevent directory listing

.htaccess is a very versatile little file, capable of handling all sorts of security and application delivery tasks. Now what’s interesting is that the .htaccess file is in the root directory and should not be accessible. Apache configuration files are fairly straight forward, and there are plethora examples of how to prevent .htaccess – and its wealth of information – from being viewed by clients. Obfuscation, of course, is one possibility, as Apache’s httpd.conf allows you to specify the name of the access file with a simple directive:

AccessFileName .htaccess

It is a simple enough thing to change the name of the file, thus making it more difficult for automated scans to discover vulnerable access files and retrieve them. A little addition to the httpd.conf regarding the accessibility of such files, too, will prevent curious folks from poking at .htaccess and retrieving them with ease. After all, there is no reason for an access file to be viewed by a client; it’s a server-side security configuration mechanism, meant only for the web server, and should not be exposed given the potential for leaking a lot of information that could lead to a more serious breach in security.

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Another option, if you have an intermediary enabled with network-side scripting, is to prevent access to any .htaccess file across your entire infrastructure. Changes to httpd.conf must be done on every server, so if you have a lot of servers to manage and protect it’s quite possible you’d miss one due to the sheer volume of servers to slog through. Using a network-side scripting solution eliminates that possibility because it’s one change that can immediately affect all servers.

Here’s an example using an iRule, but you should also be able to use mod_rewrite to accomplish the same thing if you’re using an Apache-based proxy:

when HTTP_REQUEST {
    # Check the requested URI
    switch -glob [string tolower [HTTP::path]] {
       "/.ht*" {
             reject
          }
       default {
          pool bigwebpool
       }

   }

}

However you choose to protect that .htaccess file, just do it. This isn’t rocket science, it’s a straight-up simple configuration error that could potentially lead to more serious breaches in security – especially if your .htaccess file contains more sensitive (and informative) information.

Technorati Tags: MacVittie,Twitter,network-side scripting,security,web server,apache,httpd.conf,.htaccess,vulnerability,access,unauthorized access,exposure,mod_rewrite,server,web,internet,blog

Related blogs & articles:

Categories: Development and General , iRules , Security , Web 2.0 Security

SOA, BPM, CEP: Getting IT Budget in a Tight Economy

Mon, 20 Jul 2009 18:15:00 EDT

IT budgets don't simply disappear, but it can be difficult to get what you want during tough economic times. But if you focus on the business value your chances will improve. You’re in a squeeze. How things ultimately shake out is not relevant right now, because you need to act right now. Work still needs to get done, systems need to stay running, and you must continue to keep pace with your competitors.

XBRL and Document Management: The Perfect Storm

Sat, 28 Feb 2009 05:50:00 EST

How can you turn the U.S. SEC eXtensible Business Reporting Language (XBRL) mandate’s requirements into an opportunity when making process improvements to comply? Implement an XBRL-enhanced document management strategy as part of your internal corporate filing workflow which will both boost compliance and save money.

XML Compression and Its Role in SOA Performance

Wed, 27 Sep 2006 19:00:00 EDT

Looking at the uncertainty and volatility of market conditions today, enterprises are depending on new cutting-edge technology to have an edge over their fierce competitors. At the same time, they try extracting more value from their existing IT investments. Adding to these disparate applications and technologies are the acquisitions and mergers that inherently bring in different sets of applications.

The Case for XQuery

Tue, 22 Nov 2005 05:45:00 EST

XML use is widespread across modern information systems in all industry, government, and academic sectors. The core technologies for processing XML (XML, XSLT, XPath, XML Schema, and others) are maturing steadily - thanks to support from standards bodies like the W3C and OASIS, and from major industry players such as IBM, Microsoft, and Oracle. XML is also the basis for a growing body of industry standards for data exchange, and it is well on its way to becoming a mainstream technology for data integration. XML is transforming not just data - it is transforming information processing in general.

OASIS Forms CGM Open Member Section To Create Version 2.0 of WebCGM

Wed, 04 Aug 2004 00:00:00 EDT

OASIS (Organization for the Advancement of Structured Information Standards) is forming a CGM Open Member Section. The primary focus will be to advance the vector-based graphics standard, WebCGM version 1.0.

Semantic Mapping, Ontologies, and XML Standards

Fri, 30 Apr 2004 00:00:00 EDT

When dealing with application integration, as you know by now, we are dealing with much complexity. The notion of ontologies helps the application integration architect prepare generalizations that make the problem domain more understandable.

Application Integration: Addressing the Issues

Wed, 10 Mar 2004 00:00:00 EST

Application integration brings a combination of problems. Each organization and trading community has its own set of integration issues that must be addressed. Because of this, it is next to impossible to find a single technological solution set and/or standard that can be applied universally.