XML and Web Services

Who was going to say that I was going to study about Language Processors again? My teacher Antonio Polo at Polytechnic School of Cáceres would kill me but it's truth, I'm reading about Web Services and studying concepts like WSDL, SOAP, AJAX or JSON. Why? Because web services are moving from HTTP/1.1 to HTTP/2 and the Web is moving from TCP to UDP then I need to upgrade my knowledge and remember all these stuff for protecting web services properly with Web Application Firewalls (WAFs).

I have written about Web Application Vulnerabilities and the importance of teaching OWASP at University but there is also a Web Service Security Testing Cheat Sheet by OWASP to protect our services against WSDL enumeration/scanning, parsing exploits, XML injections, XPath injection attacks or XML manipulation that we should know about it. However, first, we have to know which technologies and protocols web services use for mitigating these vulnerabilities.


The HyperText Markup Language (HTML) is not as extensible and versatile as Extensible Markup Language (XML) is due to the fact that tags for XML is unlimited and customizable, this is a great advantage of XML against HTML. However, JavaScript Object Notation (JSON) has objects with names and values inside arrays which is faster for parsing than XML when we have to send information to a web service.


We need a design or an API to send information to a web server. Simple Object Access Protocol (SOAP) uses XML, which needs to be parsed with an schema, for sending SOAP messages that they are defined in the WSDL specification. However, SOAP is more rigid than the RESTful standard where we request an URI with an HTTP method (e.g. GET, PUT, POST, DELETE) and it returns the representation of an object. In addition, REST can use anything to represent data, even XML and JSON, and this is a reason why REST is the largest implementation in the WWW.

SOAP Message

REST Message

Whether we use DTD or XSD schemas, there are two ways of parsing an XML document. Simple API for XML (SAX) which events are triggered while the XML is being parsed or Document Object Model (DOM) which events are not triggered while parsing. Therefore, the DOM standard parses the entire XML and a DOM tree is generated and returned. As a result, DOM is easier to use but has an overhead of parsing the entire XML before we can start using it.


This has been my revision and developing lessons for today with the goal of knowing about web services for protecting our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!