Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06

About Us SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst [email_address] Colin Wong Found him outside [email_address]

SIFT

Independent information security services

http://ww.sift.com.au/

Daniel Grzelak

Technical analyst

[email_address]

Colin Wong

Found him outside

[email_address]

Outline Web services basics The past, the present, the future Client testing Web method enumeration XML port scanning Structured testing framework

Web services basics

The past, the present, the future

Client testing

Web method enumeration

XML port scanning

Structured testing framework

Web Services Essentials XML-based remote procedure call Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) Multiple transport bindings HTTP, SMTP, FTP etc. Interoperable, heterogeneous, magical ! “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“

XML-based remote procedure call

Simple Object Access Protocol (SOAP)

Web Services Description Language (WSDL)

Multiple transport bindings

HTTP, SMTP, FTP etc.

Interoperable, heterogeneous, magical !

“ Oh yeah, aight. Aight, I put on my robe and wizard hat.“

Why Test Web Services? High enterprise take-up in high value projects Authentication services Supply chain integration (B2B) Exposing legacy systems External APIs Transactions and critical business functions Web services will become increasingly widespread

High enterprise take-up in high value projects

Authentication services

Supply chain integration (B2B)

Exposing legacy systems

External APIs

Transactions and critical business functions

Web services will become increasingly widespread

New Dog, Old Tricks Web services share vulnerabilities with traditional distributed technologies Lots of the same attacks apply but with better structure (XML) Web services platforms make it “too easy” Code web services as a traditional object Platform automagically turns it into a service Minimal (if any) security

Web services share vulnerabilities with traditional distributed technologies

Lots of the same attacks apply but with better structure (XML)

Web services platforms make it “too easy”

Code web services as a traditional object

Platform automagically turns it into a service

Minimal (if any) security

Client Testing Web services security testing tends to focus on the web service itself Clients are most often custom made These can also be vulnerable Clients are where the users are at Users are the weakest link Own the client and you can attack the users

Web services security testing tends to focus on the web service itself

Clients are most often custom made

These can also be vulnerable

Clients are where the users are at

Users are the weakest link

Own the client and you can attack the users

Old Client Tricks Similar to JavaScript attacks in web apps Target the browser not the server Large client/server software houses have learnt to look at the client Internet Explorer Real Player Web services clients get overlooked

Similar to JavaScript attacks in web apps

Target the browser not the server

Large client/server software houses have learnt to look at the client

Internet Explorer

Real Player

Web services clients get overlooked

Client Attacks Evil twin DNS hacking ARP poisoning Hard to execute blind, possession of the client helps Testing Consume WSDL and become the web service Once client talks to cloned web service, fuzz outputs and analyse client app response Thorough logging must exist

Evil twin

DNS hacking

ARP poisoning

Hard to execute blind, possession of the client helps

Testing

Consume WSDL and become the web service

Once client talks to cloned web service, fuzz outputs and analyse client app response

Thorough logging must exist

Web Method Enumeration WSDL may not describe all allowed operations Can be manually modified Programmers love hidden backdoors We would like to be able to find the secrets Hidden administration interfaces or functions Test or debug functions Anything else we’re not supposed to get to

WSDL may not describe all allowed operations

Can be manually modified

Programmers love hidden backdoors

We would like to be able to find the secrets

Hidden administration interfaces or functions

Test or debug functions

Anything else we’re not supposed to get to

Web Method Search Perform a dictionary attack on web method names in a web service Typically in the form of <verb><noun> GetToken AuthenticateUser SetPassword CreateAccount Create or use ready-made verb and noun lists

Perform a dictionary attack on web method names in a web service

Typically in the form of <verb><noun>

GetToken

AuthenticateUser

SetPassword

CreateAccount

Create or use ready-made verb and noun lists

Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/ webMethodName Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName > </soap:Body> </soap:Envelope>

POST http://target.com/ HTTP/1.1

SOAPAction: http://target.com/ webMethodName

Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?>

<soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;>

<soap:Body>

< webMethodName xmlns=&quot;tns&quot;>a</ webMethodName >

</soap:Body>

</soap:Envelope>

Analyse Responses Test with each verb/noun combination Analyse response of the web service Can determine if the tested method exists Combination exists Successful call Missing or incorrect parameter errors Illegal argument or null reference errors Combination does not exist Operation not defined errors No such operation or method Bad SOAP action

Test with each verb/noun combination

Analyse response of the web service

Can determine if the tested method exists

Combination exists

Successful call

Missing or incorrect parameter errors

Illegal argument or null reference errors

Combination does not exist

Operation not defined errors

No such operation or method

Bad SOAP action

Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

No such operation 'get' at

org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at

org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at

coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at

org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at

org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at

org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at

org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at

org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at

org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at

...

coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at

jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at

jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at

jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at

jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at

jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at

jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at

jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at

jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at

jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Web Method Searching (For Bugs?) DirectoryException: cannot automatically create subdirectory http: at <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result> <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring SQL syntax errors

DirectoryException: cannot automatically create subdirectory http: at

<result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result>

<b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96)

<faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring

SQL syntax errors

Web Method Search Tool Automated execution of dictionary attack with supplied wordlists Analysis of responses against configurable response elements Results may match multiple matters Supports multiple weightings

Automated execution of dictionary attack with supplied wordlists

Analysis of responses against configurable response elements

Results may match multiple matters

Supports multiple weightings

Web Method Search Tool Demonstration http://www.sift.com.au/73/0/tools.htm

Demonstration

http://www.sift.com.au/73/0/tools.htm

Workarounds and Mitigating Strategies Security through obscurity does not work Do not keep web methods secret because they will not remain secret Input Validation

Security through obscurity does not work

Do not keep web methods secret because they will not remain secret

Input Validation

XML Port Scanning Everyone loves XML Has become the standard for information exchange Ubiquitous support by all vendors and platforms Firewalls block most traffic at the perimeter Except maybe 80 and 443 Can we get behind the firewall to scan? Maybe if we ask nicely

Everyone loves XML

Has become the standard for information exchange

Ubiquitous support by all vendors and platforms

Firewalls block most traffic at the perimeter

Except maybe 80 and 443

Can we get behind the firewall to scan?

Maybe if we ask nicely

Traditional Port Scan

Document Type Definition Allows you to define the valid elements of an XML document Can dynamically build a DTD using references to external DTD definitions Can define external entities that can be used within the XML document

Allows you to define the valid elements of an XML document

Can dynamically build a DTD using references to external DTD definitions

Can define external entities that can be used within the XML document

XML Parser Abuse Abuse the ability for XML parsers to dereference external sources Use DTD elements to get the parser to initiate connections on our behalf The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]> <scan>&test;</scan>

Abuse the ability for XML parsers to dereference external sources

Use DTD elements to get the parser to initiate connections on our behalf

The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1

<!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]>

<scan>&test;</scan>

Analyse Responses We can infer the result of the attempted connection from the XML parser response Closed ports result in a connection refused error Open ports that respond to a HTTP request result in other errors or no error at all Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout Can only scan one port per XML document Cycle through all target ports and systems

We can infer the result of the attempted connection from the XML parser response

Closed ports result in a connection refused error

Open ports that respond to a HTTP request result in other errors or no error at all

Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout

Can only scan one port per XML document

Cycle through all target ports and systems

Applicability This attack can be launched against XML endpoints Cannot be used directly against SOAP SOAP explicitly disallows DTD Potential targets AJAX APIs XML document inputs Encoded XML within SOAP parameters

This attack can be launched against XML endpoints

Cannot be used directly against SOAP

SOAP explicitly disallows DTD

Potential targets

AJAX APIs

XML document inputs

Encoded XML within SOAP parameters

Impacts Port scanning of systems in your DMZ Effectively transports the scanning to the parser You can see whatever the XML parser can see Firewalls won’t help you XML is valid traffic SSL protects attack traffic

Port scanning of systems in your DMZ

Effectively transports the scanning to the parser

You can see whatever the XML parser can see

Firewalls won’t help you

XML is valid traffic

SSL protects attack traffic

XML Port Scan

XML Port Scanning Demonstration

Demonstration

Workarounds and Mitigating Strategies Disable external entity elements Or define allowed external elements Prohibit DTDs Exception handling that does not return error messages or details Still allows timeouts to be detected So some open ports can be detected Closed ports return quickly

Disable external entity elements

Or define allowed external elements

Prohibit DTDs

Exception handling that does not return error messages or details

Still allows timeouts to be detected

So some open ports can be detected

Closed ports return quickly

Structured Testing Web services are popular So is testing their security However, no structured framework exists i.e. no OWASP (although some OWASP projects touch on web services) Security testing must be structured to be useful

Web services are popular

So is testing their security

However, no structured framework exists

i.e. no OWASP (although some OWASP projects touch on web services)

Security testing must be structured to be useful

Structured Testing Framework Threat Modelling Scoping Test Planning Test Execution Reporting

Threat Modelling

Scoping

Test Planning

Test Execution

Reporting

Testing Categories Information Gathering Fuzzing Injection Confidentiality & Integrity Logging Logic Flaws Authentication & Authorisation Availability

Information Gathering

Fuzzing

Injection

Confidentiality & Integrity

Logging

Logic Flaws

Authentication & Authorisation

Availability

Questions? ?

?

Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06