When REST Attacks

"Traditional" Web Services traffic involves XML messages sent using HTTP POSTs. However, REST Web Services make use of the other HTTP verbs besides POST, namely: PUT, DELETE, OPTIONS, and GET.

One of the most common questions at Vordel is "Do you support REST-style Web Services as well as SOAP?". The answer is "Yes", and for this reason you can see REST in the list at the top of the Specifications section for the Vordel XML Gateway. In the "Research" section of the Vordel website there is a free White Paper on Security for REST Web Services. It's important that any XML Gateway can be configured to apply the same policies to "traditional" SOAP/ HTTP POST Web Services as it does to REST style services, which are accessed using GET, POST, PUT, DELETE, and OPTIONS. If a user is not using REST, then the REST requests should be "denied by default".

So it is ironic to read that the Cisco ACE XML Gateway is vulnerable to disclosing internal IP address information in an error message it returns when it is sent a HTTP OPTIONS request. In the purist REST world, a HTTP OPTIONS request is intended to return back a list of available Web Services, not an error message disclosing IP addresses. In this case, the OPTIONS request becomes a way to force the Cisco ACE XML Gateway to disclose a client IP address which it should not disclose, which is too much information.

Full details about the Cisco ACE XML Gateway vulnerability are on the Full Disclosure mailing list.