OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: RE: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

On Wed, 20 Feb 2002, Mike Champion wrote:

> the data gets there by SOAP-RPC, SOAP messaging, REST, CGI, or whatever.
> Probably *any* text-based message format (XML or URI) would seriously
> constrain a hacker's ability to put nasty code in that overflow.

Not so, I'm afraid - it's just as bad. IIS has had a lot of problems with
specially written URLs causing havoc... in particular, with text
encodings, a whole new class of problem has arisen: Unicode exploits!

> The strongest case I could make against SOAP and web security after reading
> this thread would be that it is relatively easy for a naive user of
> a web service generating wizard to expose some object as a web service
> that could be misused by a hacker out on the internet somewhere.


> Again,
> in retrospect, that would be true however the code code invoked, as
> a SOAP RPC request, a CGI script, or while processing a REST message.



                               Alaric B. Snell
 http://www.alaric-snell.com/  http://RFC.net/  http://www.warhead.org.uk/
   Any sufficiently advanced technology can be emulated in software


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS