Header Image

Web API Attack Protection

XML firewalls address application-level, message-based XML threats

The Problem: Protecting APIs Against XML Threats

The most common way to expose Web APIs today is through XML based interfaces like REST and WSDL. Publishing API's directly to the outside world creates new vulnerabilities that traditional network firewalls can't handle. However the Layer 7 SecureSpan and CloudSpan can protect Web and Cloud APIs from attack borne either in the XML message or in related protocols like JSON (JavaScript Object Notation)

XML vulnerabilities represent new kinds of risks reflecting the unique nature of how XML is structured, processed and composed into a Web services or Web API transaction. For example, a malformed IP message doesn’t break a router. A malformed XML message can however disable the XML parser inside an application exposed through an API. Traditional applications with closed APIs generally aren’t vulnerable to direct exploitation. With Web services and Web API technologies like REST and JSON, applications are exposed directly to the outside world through open XML based APIs making them directly susceptible to content, attachment or execution attacks carried inside an XML message. Since, Web services and Web APIs are by definition an integration technology, they are at risk to transactional threats like message interception, hijacking or spoofing. To address all these XML API vulnerabilities a new kind of application-level XML threat detection, prevention and remediation technology is required.


Solution: XML Firewalls and XML Gateways

There are three classes of exploits that XML API's are particularly susceptible to:

Infrastructure Attacks

  • OS exploits that undermine a host’s execution environment
  • Parser attacks that compromise a Web services performance or operation
  • DoS type attacks that degrade a Web service’s availability

Application Attacks

  • WSDL and REST API scanning and address discovery
  • XML and JSON message content manipulation, injection and malformation
  • SOAP attachments that carry viruses

Transactional Attacks

  • Manipulation or inspection of data during transmission
  • Spoofing an identity during a communication
  • Hijacking a communication session

To effectively protect XML APIs against these three classes of threats, specialized software or hardware is required that can inspect XML communication for potential risks and either block the offending behavior or remedy the vulnerability. The Layer 7 SecureSpan and CloudSpan family of XML Gateway products are unique among XML security products and Web services Gateways by fully addressing the broad spectrum of risks associated with communication to and from a Web API.


Layer 7 Value: Simple, Scalable XML API Protection

The Layer 7 XML Gateways provide the most comprehensive set of infrastructure protection of any XML threat protection device on the market. The parser is based on Layer 7’s FastPath™ XML Stream Processor. Designed specifically for speed and safety, the parser limits XML processing to policy defined instructions. XML messages are never parsed beyond what is explicitly called for in the policy. This ensures the SecureSpan XML appliances will continue to function when processing recursive payloads or SOAP Bombs, threats which can disable some XML security products using traditional parsing. Similarly, application level DoS attacks based on excess of Web service requests, or failed authentications will not affect a SecureSpan XML appliance's availability. DoS restrictions can be set inside the SecureSpan Policy Manager to automatically throttle or drop requests exceeding a frequency or size threshold.

To address application security concerns the SecureSpan and CloudSpan products provide several unique features to deliver the most robust application level threat protection for XML and JSON on the market. WSDL and REST API’s can be automatically virtualized and access controlled based on a requestor’s identity. Content born threats like SQL Injection and Schema Poisoning can be automatically blocked using Layer 7’s first of its kind ASIC technology for accelerated schema validation and XML content detection. If viruses are passed inside a SOAP attachment, Layer 7 delivers a first to market ability to scan and remove offending payloads leveraging Symantec’s leading virus scanning technology. While Web services application threats are often the most discussed kind of vulnerability, in many ways are not the most troubling. Web services are an integration technology and, unlike Web applications, are susceptible to integration or transactional vulnerabilities. Examples include man-in-the-middle attack (identity spoofing inside a communication session), replay attack (where is a message is hijacked and replayed), eavesdropping, token interception, message tampering and so forth. To guard against these threats, Layer 7 implements the latest in WS* standards including WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-SecureExchange and WS-Policy across device clusters to ensure transaction integrity.