An XML Signature includes a "Reference" element pointing to the signed data. The parsing application must "dereference" (i.e. pull down) the reference URI. The XML Signature standard states that: "XML signature applications MUST be able to parse URI syntax. We RECOMMEND they be able to dereference URIs in the HTTP scheme." [RFC3075 - XML-Signature Syntax and Processing ]. However, this introduces a vulnerability, if the referenced data is bogus, or simply a way to waste recipient system resources pulling down a large file.
REST, Web 2.0 and SOA
In the Web 2.0 world, it is the back-end Web Services which become a key point of attack. This is sometimes termed the "large attack surface" of Web 2.0. An attacker can try to attack an application through its client interface, or they can simply bypass the interface and simply go straight after the back-end Web Services instead.
Wait: Is this a solved problem?