Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Public SOAP WSDL file a security issue?

We have a SOAP WSDL file that is viewable to the public user. Recently, some in our organization have questioned if this raises security concerns or not.

Does anyone see having a WSDL file viewable by the public as a security concern? All of the functions available require a logged in user.

like image 361
Nic Hubbard Avatar asked Apr 08 '13 15:04

Nic Hubbard


1 Answers

The short answer is: if publishing your WSDL represents a security problem, then you have a security problem even if you don't publish your WSDL, and you need to fix that problem, not just try to hide it.

The WSDL just explains your protocol. You cannot assume that your protocol is a secret; attackers can still reverse engineer it without your WSDL. You can never assume that the client on the other side of a network connection is "your" client. You have to assume that it is an attacker and design your system to deal with that fact.

So, hiding your WSDL is a minor form of obfuscation that provides no serious security. But... if hiding your WSDL is very easy and requires no extra work on your part, sure, why not? Hiding it could potentially prevent some kinds of automated scripts from attempting to attack you. And it does create one extra small headache for the attackers.

One major danger of hiding your WSDL is that it can cause sloppiness on the part of developers who think that the WSDL is therefore secret. If you have a team for whom that could be a problem, I'd keep it public just to keep them focused.

The other major danger is if it makes your system harder to maintain (making it hard to upgrade for instance). If that's the case, I would absolutely not hide it. Extra complexity in the clients is almost certain to be a bigger security risk than a public WSDL.

like image 81
Rob Napier Avatar answered Sep 28 '22 18:09

Rob Napier