Re: Security Concerns section added to Query_by_reference

On 7 Apr 2009, at 12:32, Axel Polleres wrote:

> Steve Harris wrote:
>> On 6 Apr 2009, at 17:45, Axel Polleres wrote:
>>> Let me understand: What is the difference in terms of security  
>>> issues between query-by-reference and queries using REST or SOAP  
>>> queries?
>> Well, there's the additional DOS problem that query-by-reference  
>> brings.
>>> The same concerns you seem to rise hold there... quite on the  
>>> contrary, it seems that only allowing queries-by-reference from a  
>>> particular namespace would be a security feature rather than a leak.
>> OK, here's one example:
>> Imagine a corporate system, inside a firewall, hosting a number of  
>> services, and a SPARQL endpoint. There's a hole/bridge through the  
>> firewall to allow outside people to connect to the SPARQL store and  
>> issue approved queries by reference.
>> The systems inside the firewall are all in secure.example, eg.  
>>, and
>> The SPARQL store is configured to only accept references from  
>>, a machine that uses SPARQL to provide  
>> services.
>> An attacker issues a request like ?query-ref=
>> As far as the SPARQL endpoint is concerned, that's legitimate, so  
>> it might reasonably try and dereference that URI (which is  
>> obviously a bad idea to a human).
> Well, so what I don't get is... Why is that obviously a bad idea? If  
> it is within the legitimate queries stored in that namespace, then  
> is is an allowed one. There might be more sophisiticated blocking  
> mechanisms than "by namesspace" but that is imo outside our scope...  
> the endpoint may reject references by any (internal) reason. And how  
> is that different from the GET version is not supposed to  
be a SPARQL query, but a service endpoint that performs some actions  
when it's dereferenced. I guess I didn't make that clear.

- Steve

Steve Harris
Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
+44(0)20 8973 2465
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  

Received on Tuesday, 7 April 2009 12:04:37 UTC