Some of the specific threats that WS-Security can protect against are listed below. The syntax is the threat followed by the defense.
Un-authenticated sender – Use tokens and digital signature
Unauthorized receiver – Use XML encryption
Replay – Digital signatures alone are not enough to defeat replay. Other parts of the specification must be used with d-sig, such as timestamp, sequence number and nonce.
Token Substitution – Sign both the security header and the body.
Message modification – Sign the message
Message substitution - Sign both the security header and message body
Man-in-the-middle – Sign both the request and response
Multiple tokens using the same key – Require that the token be included in WS-Security header.
While WS-Security provides the means to protect against these attacks, it is up to the users of WS-Security to apply the appropriate protections depending on the level of risk management required. For example, if a sender is requesting a casual stock quote they might not deem it necessary to use the above protection mechanisms. However, if they were buying a stock then they would want to protect against the above threats. The receiver of the request may have different risk requirements and thus require some of above mechanisms, which are not important to the sender. For example, for the request for a quote, they may require authentication and additionally may require different level of authentication for different value transactions.
This was first published in December 2003