• Save
Web Services Security
Upcoming SlideShare
Loading in...5
×
 

Web Services Security

on

  • 6,144 views

Daniel Grzelak / Colin Wong

Daniel Grzelak / Colin Wong

Statistics

Views

Total Views
6,144
Views on SlideShare
6,134
Embed Views
10

Actions

Likes
9
Downloads
0
Comments
2

4 Embeds 10

http://www.slideshare.net 5
http://www.techgig.com 3
http://www.secguru.com 1
http://115.112.206.134 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Web Services Security Web Services Security Presentation Transcript

  • Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06
  • About Us
    • SIFT
      • Independent information security services
      • http://ww.sift.com.au/
    • Daniel Grzelak
      • Technical analyst
      • [email_address]
    • Colin Wong
      • Found him outside
      • [email_address]
  • Outline
    • Web services basics
    • The past, the present, the future
    • Client testing
    • Web method enumeration
    • XML port scanning
    • Structured testing framework
  • Web Services Essentials
    • XML-based remote procedure call
    • Simple Object Access Protocol (SOAP)
    • Web Services Description Language (WSDL)
    • Multiple transport bindings
      • HTTP, SMTP, FTP etc.
    • Interoperable, heterogeneous, magical !
    • “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“
  • Why Test Web Services?
    • High enterprise take-up in high value projects
      • Authentication services
      • Supply chain integration (B2B)
      • Exposing legacy systems
      • External APIs
    • Transactions and critical business functions
    • Web services will become increasingly widespread
  • New Dog, Old Tricks
    • Web services share vulnerabilities with traditional distributed technologies
      • Lots of the same attacks apply but with better structure (XML)
    • Web services platforms make it “too easy”
      • Code web services as a traditional object
      • Platform automagically turns it into a service
      • Minimal (if any) security
  • Client Testing
    • Web services security testing tends to focus on the web service itself
      • Clients are most often custom made
      • These can also be vulnerable
    • Clients are where the users are at
      • Users are the weakest link
    • Own the client and you can attack the users
  • Old Client Tricks
    • Similar to JavaScript attacks in web apps
      • Target the browser not the server
    • Large client/server software houses have learnt to look at the client
      • Internet Explorer
      • Real Player
    • Web services clients get overlooked
  • Client Attacks
    • Evil twin
      • DNS hacking
      • ARP poisoning
      • Hard to execute blind, possession of the client helps
    • Testing
      • Consume WSDL and become the web service
      • Once client talks to cloned web service, fuzz outputs and analyse client app response
      • Thorough logging must exist
  • Web Method Enumeration
    • WSDL may not describe all allowed operations
      • Can be manually modified
      • Programmers love hidden backdoors
    • We would like to be able to find the secrets
      • Hidden administration interfaces or functions
      • Test or debug functions
      • Anything else we’re not supposed to get to
  • Web Method Search
    • Perform a dictionary attack on web method names in a web service
    • Typically in the form of <verb><noun>
      • GetToken
      • AuthenticateUser
      • SetPassword
      • CreateAccount
    • Create or use ready-made verb and noun lists
  • Calling Web Methods
    • POST http://target.com/ HTTP/1.1
    • SOAPAction: http://target.com/ webMethodName
    • Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?>
    • <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;>
    • <soap:Body>
    • < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName >
    • </soap:Body>
    • </soap:Envelope>
  • Analyse Responses
    • Test with each verb/noun combination
    • Analyse response of the web service
    • Can determine if the tested method exists
      • Combination exists
        • Successful call
        • Missing or incorrect parameter errors
        • Illegal argument or null reference errors
      • Combination does not exist
        • Operation not defined errors
        • No such operation or method
        • Bad SOAP action
  • Web Method Searching (For Bugs?)
    • No such operation 'get' at
    • org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at
    • org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at
    • coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at
    • org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at
    • org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at
    • org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at
    • org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at
    • org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at
    • org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at
    • ...
    • coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at
    • jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at
    • jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
    • jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at
    • jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at
    • jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at
    • jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at
    • jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at
    • jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at
    • jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
  • Web Method Searching (For Bugs?)
    • DirectoryException: cannot automatically create subdirectory http: at
    • <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result>
    • <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96)
    • <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring
    • SQL syntax errors
  • Web Method Search Tool
    • Automated execution of dictionary attack with supplied wordlists
    • Analysis of responses against configurable response elements
      • Results may match multiple matters
      • Supports multiple weightings
  • Web Method Search Tool
    • Demonstration
      • http://www.sift.com.au/73/0/tools.htm
  • Workarounds and Mitigating Strategies
    • Security through obscurity does not work
      • Do not keep web methods secret because they will not remain secret
    • Input Validation
  • XML Port Scanning
    • Everyone loves XML
      • Has become the standard for information exchange
    • Ubiquitous support by all vendors and platforms
    • Firewalls block most traffic at the perimeter
      • Except maybe 80 and 443
    • Can we get behind the firewall to scan?
      • Maybe if we ask nicely
  • Traditional Port Scan
  • Document Type Definition
    • Allows you to define the valid elements of an XML document
    • Can dynamically build a DTD using references to external DTD definitions
    • Can define external entities that can be used within the XML document
  • XML Parser Abuse
    • Abuse the ability for XML parsers to dereference external sources
    • Use DTD elements to get the parser to initiate connections on our behalf
    • The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1
      • <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]>
      • <scan>&test;</scan>
  • Analyse Responses
    • We can infer the result of the attempted connection from the XML parser response
      • Closed ports result in a connection refused error
      • Open ports that respond to a HTTP request result in other errors or no error at all
      • Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout
    • Can only scan one port per XML document
    • Cycle through all target ports and systems
  • Applicability
    • This attack can be launched against XML endpoints
    • Cannot be used directly against SOAP
      • SOAP explicitly disallows DTD
    • Potential targets
      • AJAX APIs
      • XML document inputs
      • Encoded XML within SOAP parameters
  • Impacts
    • Port scanning of systems in your DMZ
    • Effectively transports the scanning to the parser
      • You can see whatever the XML parser can see
    • Firewalls won’t help you
      • XML is valid traffic
      • SSL protects attack traffic
  • XML Port Scan
  • XML Port Scanning
    • Demonstration
  • Workarounds and Mitigating Strategies
    • Disable external entity elements
      • Or define allowed external elements
    • Prohibit DTDs
    • Exception handling that does not return error messages or details
      • Still allows timeouts to be detected
        • So some open ports can be detected
        • Closed ports return quickly
  • Structured Testing
    • Web services are popular
      • So is testing their security
    • However, no structured framework exists
      • i.e. no OWASP (although some OWASP projects touch on web services)
    • Security testing must be structured to be useful
  • Structured Testing Framework
    • Threat Modelling
    • Scoping
    • Test Planning
    • Test Execution
    • Reporting
  • Testing Categories
    • Information Gathering
    • Fuzzing
    • Injection
    • Confidentiality & Integrity
    • Logging
    • Logic Flaws
    • Authentication & Authorisation
    • Availability
  • Questions?
    • ?
  • Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06