sécurité des web services · 2020-05-18 · (soap vs rest) sylvain maret principal consultant /...
TRANSCRIPT
![Page 1: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Sécurité des Web Services (SOAP vs REST)
Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter meeting Lieu: Genève (Suisse) 6 décembre 2012
05/06.11.2012, Version 1.1 @smaret
![Page 2: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/2.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
2
![Page 3: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/3.jpg)
Bio
• 18 years of experience in ICT Security
• Principal Consultant at MARET Consulting
• Expert & Lecturer at University of Applied Sciences (Yverdon)
• Swiss French Area delegate at OpenID Switzerland
• Co-founder Application Security Forum #ASFWS
• OWASP Member
• Author of the blog: la Citadelle Electronique
• http://ch.linkedin.com/in/smaret or @smaret
• http://www.slideshare.net/smaret
• Chosen field – AppSec / Digital Identity Security / Cyber Defense
3
![Page 4: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/4.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
4
![Page 5: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/5.jpg)
Web Service ?
5
XML, JSON, etc. Consumer Provider
![Page 6: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/6.jpg)
Un peu d’histoire
• 1990 : DCE/RPC – Distributed Computing Environment
• 1992 : CORBA – Common Object Request Broker Architecture
• 1990-1993 : Microsoft’s DCOM -- Distributed Component Object Model
• 1995: RMI – Monde Java
• Pour arriver à une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
– SOAP
– REST
– Etc.
6
Web Service
![Page 7: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/7.jpg)
Typical Web Services environment
7 Source: Mastering Web Services Security / www.wiley.com
![Page 8: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/8.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
8
![Page 9: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/9.jpg)
SOAP: Démystification des technologies
• Langages
– XML
– WSDL : Descripteur du service
– UDDI: Annuaire des services
– Xpath
• Protocoles
– Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP)
– Message: Enveloppe SOAP
• Sécurité
– WS-Security (Signature & Chiffrement)
• Autres éléments
– AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.
9
![Page 10: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/10.jpg)
Enveloppe SOAP
10
- SOAP : Simple Object Access Protocol - Permet l’envoi de messages XML
Source= wikipédia
![Page 11: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/11.jpg)
11
SOAP request
SOAP response
![Page 12: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/12.jpg)
UDDI
• Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fondé sur XML et plus particulièrement destiné aux services Web.
12
![Page 13: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/13.jpg)
WSDL
• WSDL est une grammaire XML permettant de décrire un Service Web.
• Le WSDL sert à décrire : – le format de messages requis pour communiquer avec ce
service
– les méthodes que le client peut invoquer
– la localisation du service
– le protocole de communication (SOAP RPC ou SOAP orienté message)
13
http://fr.wikipedia.org/wiki/Web_Services_Description_Language
![Page 14: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/14.jpg)
WSDL
14 http://predic8.com/wsdl-reading.htm
![Page 15: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/15.jpg)
WSDL: exemple
15
![Page 16: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/16.jpg)
SOAP: Démystification des protocoles
16
UDDI
WSDL
SOAP / XML
HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)
IP
Découverte
Description
Message
Protocole
Transport
![Page 17: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/17.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
17
![Page 18: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/18.jpg)
REST: Démystification des technologies
• Langages
– XML
– JSON
– XHTML, HTML, PDF... as data formats
• Protocoles
– HTTP(s) Utilisation d’une URL
– Méthode de communication (GET, POST, PUT, DELETE)
• Sécurité
– Sécurité du transport (SSL/TLS)
– Sécurité des messages: HMAC / Doseta / JWS, etc. (Like XML Signature)
• Autres éléments
– Oauth, API Keys, etc.
18
![Page 19: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/19.jpg)
Représentation REST (exemple JSON)
19
![Page 20: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/20.jpg)
Méthodes REST
20
![Page 21: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/21.jpg)
REST: Démystification des protocoles
21
XML, JSON, etc.
HTTP, HTTPS
TCP/IP
Message
Protocole
Transport
WADL, Swagger *** Description
*** Avant-gardiste!
??? Découverte
![Page 22: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/22.jpg)
Example
22
![Page 23: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/23.jpg)
Example Twitter (OAuth)
23
![Page 24: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/24.jpg)
24
![Page 25: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/25.jpg)
SOAP vs REST
25
![Page 26: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/26.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
26
![Page 27: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/27.jpg)
27 http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es
![Page 28: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/28.jpg)
28
![Page 29: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/29.jpg)
Modèle STRIDE
29
https://www.owasp.org/index.php/Application_Threat_Modeling
![Page 30: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/30.jpg)
Menaces - DFD Acme SA
• Threat 1 – Interception des messages (Information disclosure)
– Modification des messages (Tampering)
– Usurpation d’identité (Spoofing)
• Threat 2 – Attaque de l’application
• BoF
• Injection
• DoS & DDoS
• Etc
30
![Page 31: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/31.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
31
![Page 32: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/32.jpg)
ACME SA: Réduction des risques ?
• Chiffrement du transport
• AuthN
• SSL Mutual AuthN / X509
• WAF / XML Gateway
• Intégrité et confidentialité des messages
• Secure Coding
32
![Page 33: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/33.jpg)
Chiffrement du transport
33
SOAP / XML REST
HTTPS SSL/TLS tunnel SSH IPSEC Etc.
HTTPS
![Page 34: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/34.jpg)
AuthN
34
SOAP / XML REST
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc.
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys JSON Web Token (JWT)
![Page 35: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/35.jpg)
SSL Mutual AuthN / X509 / PKI
35
SOAP / XML REST
SSL/TLS Mutual AuthN** SSL/TLS Mutual AuthN**
** Man in the middle not possible… (As I Know)
![Page 36: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/36.jpg)
WAF / XML Gateway (Protection périmétrique)
36
SOAP / XML REST
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List Validation WSDL Signature & Verification Encryption & Decryption SAML
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List
![Page 37: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/37.jpg)
Intégrité et confidentialité des messages
37
SOAP / XML REST
XML Signature XML Encryption
•(p.ex: HMAC, Doseta) • JSON Web Signature (JWS) – Draft v7 • JSON Web Encryption
** Pas de chiffrement à ma connaissance
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-07
![Page 38: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/38.jpg)
Example XML Signature (SOAP)
38
![Page 39: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/39.jpg)
Example JSON “Signature”
39
![Page 40: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/40.jpg)
Code security
40
SOAP / XML REST
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification
![Page 41: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/41.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
41
![Page 42: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/42.jpg)
Conclusion
• SOAP: – Implémenter les standards WS-* liés à la sécurité?
– Mettre en place un filtrage applicatif (WAF, XML GW)
– Complexe à mettre en œuvre (PKI, Secure coding, Cryptography, etc.)
– Architecture à forte contrainte de sécurité
• REST – Mettre en place un filtrage applicatif (WAF, XML GW)
– Implémentation rapide et facile tendance
– Architecture de type Cloud, Intranet, Social Login, etc.
– Emergence des standards (JSON Web Algorithms)
• On attend avec impatience les standards sécu pour REST ???
– Pragmatique: protection périmétrique, chiffrement et Secure Coding ???
42
![Page 43: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/43.jpg)
Approche périmétrique vs WS-Security ?
43
![Page 44: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/44.jpg)
Questions?
44
![Page 45: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/45.jpg)
Merci / Thank you!
Contact:
@smaret
http://www.maret-consulting.ch
Slides: http://slideshare.net/ASF-WS/
45
![Page 46: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/46.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
46
Backup Slides
By Sylvain Maret
![Page 47: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/47.jpg)
47
![Page 48: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/48.jpg)
SoapBox
48
![Page 49: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/49.jpg)
Capture HTTP
49
![Page 50: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/50.jpg)
Signer le message
50
![Page 51: Sécurité des Web Services · 2020-05-18 · (SOAP vs REST) Sylvain Maret Principal Consultant / MARET Consulting / @smaret OpenID Switzerland OWASP Switzerland - Geneva Chapter](https://reader036.vdocuments.us/reader036/viewer/2022062916/5ecc6c5e6e5d5316ca3eaf95/html5/thumbnails/51.jpg)
Signer le message
51