带有https WSDL的SOAP是否安全？

I'm working on a project using PHP and SOAP to connect to a web service, and I have a question about security.

At a basic level, my code is as follows:

// Connect to web service
$client = new SoapClient( 'https://mywebservice.com:8443/whatever?wsdl' );

// Store the response after passing my values for that service
$response = $client->my_service( $my_args );

The SoapClient URL is over https, and is an address to a WSDL. It all functions fine - I'm able to return and post data back with no problems.

The website it will be used on is using SSL sitewide. My question is - is the above method secure for passing sensitive data back and forth if we're using https for the WSDL? Or should I be doing something extra with SOAP I'm not aware of?

I'm aware there's WS-Security, but is that needed if everything is over https?

Thanks

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dtmsaqtly798322992 2015-10-16 14:56
关注
Answering security questions requires asking self what we are trying to protect, and what could attack vectors be.

In short HTTPS, from your requirements, is safe. This because you are asking whether SSL can securely protect an information the web server knows and wants to send to the back-end server. SSL is for that. You don't need to use additional WS-Security features. At least please validate server certificate.

This is safe as soon as all the website runs under SSL and you implement all common requirements for secure websites, including the HSTS header and refuse to serve HTTP requests. I am saying this because I assume that the sensitive data you may like to protect comes from the client.

Example 1

As an example, suppose a credit card payment system with a vulnerability.

Client connects via HTTPS to web server and sends CC number. No one can see that

Server pushes the card number to back-end via HTTPS. No one can see that

Back end stores the credit card number plaintext in the database system

The answer will be: "OK, you are protecting communication between web server and backend, but beware that someone is interested at looking at the database". Imagine a SQL injection vulnerability on an HTTPS website capable of dumping credit cards database. This is not what HTTPS is for.

Example 2

Now let's examine another scenario where HTTPS is not enough. Basically, HTTPS protects end-to-end communications. Here is my requirement:

The payment authorization must be permanently signed by the machine requesting for the payment and stored for future auditing in a third-party service

Clearly SSL won't solve this. Suppose your web service is part of a community and the back-end server talks with several web servers. SSL will protect and authenticate traffic between web and back end, however the back-end server can store arbitrarily valid SOAP messages claiming they come from your web server

You must sign the SOAP payload for that, and use WS-Security. The payload can be transferred to a third party auditing service, enveloped in an external SOAP message authenticated by the back-end service.

Example 3: let's make things complicated

Now let me alter your question. "How can I allow a client to send the web server a sensitive information that the server cannot read but the back-end can read?".

Here is, for example, when a POS machine (like the below photo, courtesy of Google Images) wants to send your web server a purchase order without revealing the CC number, that will be known only to the bank.

Sorry, I can't find a university work I did in the past years about this scenario because I had a slide about it.

Then SSL is not enough and you can use WS-Security to do the following:

Client forms a SOAP message containing the card number that is encrypted with the back-end server key

Client envelopes that SOAP message with a purchase order containing the items and sends it to your server, even via HTTP

Web Server takes the purchase order and prepares the order

Web Server takes the unreadable SOAP message encrypted for the bank and issues a payment order

On successful payment, the order is delivered
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

带有https WSDL的SOAP是否安全？ https php
2015-10-14 14:35

回答 1 已采纳 Answering security questions requires asking self what we are trying to protect, and what could at
WebService中SOAP和WSDL之间的关系是什么？ java
2017-04-18 12:21

回答 2 已采纳可以理解WebService=SOAP+WSDL. SOAP是WebService之间的通信协议，就像两人要听得懂互相说什么，就必须会同一种语言。SOAP就是语言的语法，SOAP消息就是这种语言说出
Go上的WSDL / SOAP支持？
2012-08-01 21:10

回答 5 已采纳 Nope. SOAP sucks, but I had to implement a server of an already-defined protocol that uses SOAP,
java soap wsdl 实例_SOAP与WSDL详解
2021-03-21 08:56

吴冬亮的博客 SOAP确定了一种通过XML实现跨语言、跨机器传输调用的协议，WSDL更像是所提供服务的一个规范、一个文档，本篇文章介绍梳理一下他们的规则与逻辑，更好的认识一下SOAP协议及WSDL描述文件。SOAP简单对象访问协议SOAP...
PHP中的非wsdl SOAP请求 c# php
2016-05-23 18:27

回答 1 已采纳 Try the following code: $client = new SoapClient("https://194.126.180.186:77/ScroogeCbForms.svc?w
如何在PHP中使用SOAP WebService的WSDL创建对象？ c# php
2019-03-25 12:41

回答 1 已采纳 I solved it by generating php classes from the WSDL file. For this I used the tool wsdl2phpgenerat
如何在HTML中输出WSDL请求的结果？ html php
2014-11-26 07:25

回答 3 已采纳 Since your variable $result is of type stdClass and its property $GetGeoIPContextResult in which t
php soap header_使用PHP发送带有WSDL Soap请求的Soap Header
2021-03-22 21:24

雪舞梅香的博客我是SOAP的新手,我正在尝试在PHP中实现一个使用ASP.NET ...使用WSDL时是否可以发送auth标头和soap请求？我的代码：PHP$service = new SoapClient("http://localhost:16840/CTI.ConfigStack.WS/ATeamService.asmx?WS...
给出WSDL的Soap调用 php
2017-02-24 14:57

回答 1 已采纳 You should definitively use a WSDL to php generator as I think you're not sending the request as i
从现有的wsdl获取PHP SOAP位置和uri php
2016-10-25 13:36

回答 2 已采纳 uri - Should be actual address of a service http://someservice location - Operation you want to e
为什么Soap无法连接到HTTPS？ https php ssl ubuntu
2013-12-12 02:07

回答 2 已采纳 WireShark, tcpdump or a similar tool may be your best bet here, to understand what's going wrong w
Web services详解：入门必看 | WSDL、SOAP
2022-07-10 17:43

东河西的博客 Web Service是基于网络的、分布式的模块化组件，通过 Web 进行发布、查找和使用**。**是应用程序组件使用开放协议进行通信，是独立的（self-contained）并可自我描述，可通过使用UDDI来发现，可被其他应用程序使用...
使用Soap从PHP中获取WSDL中的元素 php
2016-11-12 17:51

回答 2 已采纳 To create a soap client you do this: $client = new SoapClient("https://planetwin365.com/Controls/
ws_soap_client_example:带有 WSDL 的 Web 服务 SOAP 示例 - 客户端
2021-07-18 19:24

ws_soap_client_example 带有 WSDL 的 Web 服务 SOAP 示例 - 客户端通过IDE eclipse，生成了一个web service 代码的例子——client。目标是通过eclipse 创建一个SOAP WS CLIENT。用于使用 SOAP WS 服务器。
【Spring Boot 】Spring Boot SOAP 网络服务示例 | WSDL示例
2021-10-26 14:54

猫巳的博客制作用于 CRUD 的 SOAP 网络服务2.1 项目结构2.2 创建 Maven 文件2.3 为 CRUD 操作创建 XML 模式2.4 从 XML 模式生成 Domain 类2.5 配置网络服务 Bean2.6 为 CRUD 操作创建网络服务端点2.7 创建数据库表2.8 ...
C#通过SOAP使用HttpWebRequest调用带有身份验证的WebService示例
2017-09-09 08:51

本示例使用C#构造SOAP信息，通过HttpWebRequest调用java编写的带有Windows身份验证的WebService，代码中详细注释了每行代码的功能与作用；对应文章：http://blog.csdn.net/cgs_______/article/details/77894599
ws_soap_server_example:带有WSDL的Web服务SOAP的示例-服务器
2021-05-22 04:32

ws_soap_server_example 带有WSDL的Web服务SOAP的示例-服务器通过IDE eclipse，它是生成的Web服务代码（服务器）的一个示例。目标是通过Eclipse创建一个“ hello world” WS SOAP。
接口安全&WebPack&REST&SOAP&WSDL&WebService
2022-08-23 23:50

无聊的知识的博客 WSDL 这个是我们找到的一个接口泄露的漏洞访问是这样的但是我们改一下url就可以看到有哪些接口从而利用了把后面的WSDL去掉 https://www.w3schools.com/xml/tempconvert.asmx? 两个接口这里推荐可以有用 readyapi...
php soap wsdl模式,PHP SOAP WSDL模式在方法调用上返回Null
2021-04-22 09:02

原宗有的博客我一直在尝试用PHP学习SOAP，非wsdl模式很好用 . 我将它们包含在寻求学习的人们的信息中 .暴露library.php的类class Library {public function getDwarves(){$dwarves = array("Bashful","Doc","Dopey");return $...
没有解决我的问题, 去提问

悬赏问题

¥20 delta降尺度方法，未来数据怎么降尺度
¥15 c# 使用NPOI快速将datatable数据导入excel中指定sheet，要求快速高效
¥15 再不同版本的系统上，TCP传输速度不一致
¥15 高德地图点聚合中Marker的位置无法实时更新
¥15 DIFY API Endpoint 问题。
¥20 sub地址DHCP问题
¥15 delta降尺度计算的一些细节，有偿
¥15 Arduino红外遥控代码有问题
¥15 数值计算离散正交多项式
¥30 数值计算均差系数编程

带有https WSDL的SOAP是否安全？

1条回答 默认 最新

Example 1

Example 2

Example 3: let's make things complicated

悬赏问题

1条回答默认最新