SOAP frustrations

Dave Kuhlman dkuhlman at rexx.com
Fri Oct 18 23:07:12 CEST 2002


Nicolas Chauvat wrote:

>> Yes. It *is* a security issue. By misusing port 80 for remote procedure
>> ...                                ^^^^^^^^
>> change the policy. Screwing around with port 80 is going to cause a lot
>> of ill-will. The first time a SOAP request comes through that runs some
>> random bit of code that causes some damage, you can fully expect to be
>> hung out to dry for it.
>> 
>> Organizations have security policies for a reason. Hacking around them
>> will *never* end well.
> 
> [applause]

I been waiting for someone else to ask this question so that I would not 
have to show my ignorance.  No such luck.

What about CGI?  Uses port 80.  Can run "random" bits of code. Powerful 
enough to destroy servers with a single script.  How is CGI any less of a 
security threat?  It doesn't take much of a wizard to write a Perl or 
Python CGI script that trashes a system, or ruins a database, or ...  Isn't 
SOAP just another way of invoking a script.  And, ditto for XML-RPC.  With 
SOAP (and XML-RPC) I put some request information in the body of the 
request that I would have tacked onto the URL in CGI.  How does that make 
CGI any less dangerous.

Basically, hire any computer science student as an intern to come in and 
write either CGI scripts or SOAP Web service scripts and you are asking for 
"excitement".

And, isn't the point that any of these (CGI, SOAP, XML-RPC) are no more 
dangerous than the scripts on the back-end that implement them, which puts 
control on the back-end where we want it.

  - Dave

[snip]

-- 
Dave Kuhlman
dkuhlman at rexx.com
http://www.rexx.com/~dkuhlman




More information about the Python-list mailing list