[
Lists Home |
Date Index |
Thread Index
]
On Wed, 20 Feb 2002, Mike Champion wrote:
> the data gets there by SOAP-RPC, SOAP messaging, REST, CGI, or whatever.
> Probably *any* text-based message format (XML or URI) would seriously
> constrain a hacker's ability to put nasty code in that overflow.
Not so, I'm afraid - it's just as bad. IIS has had a lot of problems with
specially written URLs causing havoc... in particular, with text
encodings, a whole new class of problem has arisen: Unicode exploits!
> The strongest case I could make against SOAP and web security after reading
> this thread would be that it is relatively easy for a naive user of
> a web service generating wizard to expose some object as a web service
> that could be misused by a hacker out on the internet somewhere.
Indeed.
> Again,
> in retrospect, that would be true however the code code invoked, as
> a SOAP RPC request, a CGI script, or while processing a REST message.
Indeed.
ABS
--
Alaric B. Snell
http://www.alaric-snell.com/ http://RFC.net/ http://www.warhead.org.uk/
Any sufficiently advanced technology can be emulated in software
|