Web Security

There are a lot of dangers in putting up a Web page. From

invasions of privacy to actual hackers cracking your security.
Learn how to secure your Web server and site as well as
hacks and patches to keep yourself safe.

WS-Security (Web Services Security, short WSS) is a flexible and

feature-rich extension to SOAP to apply security to web services. It is a
member of the WS-* family of web service specifications and was published
by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on

messages and allows the communication of various security token formats,
such as SAML, Kerberos, and X.509. Its main focus is the use of XML
Signature and XML Encryption to provide end-to-end security.

Features

WS-Security describes three main mechanisms:

• How to sign SOAP messages to assure integrity. Signed messages

provide also non-repudiation.
• How to encrypt SOAP messages to assure confidentiality.
• How to attach security tokens.

The specification allows a variety of signature formats, encryptions

algorithms and multiple trust domains, and is open to various security token
models, such as:

• X.509 certificates
• Kerberos tickets
• UserID/Password credentials
• SAML-Assertion
• Custom defined token

The token formats and semantics are defined in the associated profile
documents.

WS-Security incorporates security features in the header of a SOAP

message, working in the application layer.
These mechanisms by themselves do not provide a complete security
solution for Web services. Instead, this specification is a building block that
can be used in conjunction with other Web service extensions and higher-
level application-specific protocols to accommodate a wide variety of
security models and security technologies. In general, WSS by itself does
not provide any guarantee of security. When implementing and using the
framework and syntax, it is up to the implementor to ensure that the result is
not vulnerable.

Key management, trust bootstrapping, federation and agreement on the

technical details (ciphers, formats, algorithms) is outside the scope of WS-
Security.

Issues

• If there are frequent message exchanges between service provider and

consumer, the overhead of XML SIG and XML ENC are significant.
If end-to-end security is required, a protocol like WS-
SecureConversation may reduce the overhead. If sufficient, use only
encryption or signing, as the combination of both is significantly
slower than the mere sum of the single operations. See Performance
below.
• The merging of several XML-schemata like SOAP, SAML, XML
ENC, XML SIG might cause dependencies on different versions of
library functions like canonicalization and parsing, that are difficult to
manage in an application server.

Advantages
• Easy to use
• Loose syntax (although, being too flexible will not comply with standards)
• Supported on almost every browser, if not all browsers.
• Widely used; established on almost every website, if not all websites.
• Very similar to XML syntax, which is increasingly used for data storage
• Free - You need not buy any software
• Easy to learn & code even for novice programmers
Disadvantages
• It cannot produce dynamic output alone, since it is a static language
• Sometimes, the structuring of HTML documents is hard to grasp
• You have to keep up with deprecated tags, and make sure not to use them
• Deprecated tags appear because another language that works with HTML
has replaced the original work of the tag; thus the other language needs to be
learned (most of the time, it is CSS)
• Security features offered by HTML are limited

HTML, which stands for HyperText Markup Language, is the

predominant markup language for web pages. HTML is the basic building-
blocks of webpages. A markup language is a set of markup tags, and HTML
uses markup tags to describe web pages.

HTML is written in the form of HTML elements consisting of tags, enclosed

in angle brackets (like <html>), within the web page content. HTML tags
normally come in pairs like <h1> and </h1>. The first tag in a pair is the
start tag, the second tag is the end tag (they are also called opening tags and
closing tags).

The purpose of a web browser is to read HTML documents and compose

them into visual or audible web pages. The browser does not display the
HTML tags, but uses the tags to interpret the content of the page.

HTML elements form the building blocks of all websites. HTML allows
images and objects to be embedded and can be used to create interactive
forms. It provides a means to create structured documents by denoting
structural semantics for text such as headings, paragraphs, lists, links, quotes
and other items. It can embed scripts in languages such as JavaScript which
affect the behavior of HTML webpages.

Web browsers can also refer to Cascading Style Sheets (CSS) to define the
appearance and layout of text and other material. The W3C, maintainer of
both the HTML and the CSS standards, encourages the use of CSS over
explicitly presentational HTML markup.[1]