0

I'm given the assignment of testing one of our web-servers in regards to security. One of the servers run IIS 7 and its application relies extensively on XMLRPC calls. I found the API for those calls was publicly available on the web-server which got me thinking.

Does this need to be exposed? (I.e. does the application break if removed?) Does this exposure pose a security threat? (Or would removing the API simply be a 'security by obscurity'?)

efr4k
  • 497
  • 3
  • 13

1 Answers1

2

Well, the first thing that comes to mind is that if you remove an external endpoint of an API that an application relies on, then yeah, it would probably break. :)

More specifically it really depends on the application in question. If it only works over XMLRPC and it needs to connect from a different machine, then yes it will break if you remove the access. Otherwise it might not. The fact that it is publically accessible does increase the risk to your server(s) because of an increased attack surface, but if it's a properly secured service then there is less risk. There is still an increased attack surface though.

However, since it is XMLRPC, which is an antiquated protocol (a precursor to SOAP), there is a good chance that it wasn't necessarily designed with security in mind.

Removing the API would not be security by obscurity unless there is another way to access the API whose protection hinges on the fact that XMLRPC was the only known public endpoint.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • I'm thinking the API is there for the developer, as the application in the background already "knows" the protocol. By that reasoning I would think it should be safe to remove? Or have I totally misunderstood the concept? – efr4k Oct 25 '11 at 12:38
  • What do you mean by "knows" the protocol? Do other applications uses XMLRPC to connect to it? If there are, and they only connect via XMLRPC, then removing it will cause them to break, which is usually bad. If no one else uses it, by all means turn it off. – Steve Oct 27 '11 at 15:41