• Save
Web Services Security
Upcoming SlideShare
Loading in...5

Web Services Security



Daniel Grzelak / Colin Wong

Daniel Grzelak / Colin Wong



Total Views
Views on SlideShare
Embed Views



4 Embeds 10

http://www.slideshare.net 5
http://www.techgig.com 3
http://www.secguru.com 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Web Services Security Web Services Security Presentation Transcript

  • Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06
  • About Us
    • SIFT
      • Independent information security services
      • http://ww.sift.com.au/
    • Daniel Grzelak
      • Technical analyst
      • [email_address]
    • Colin Wong
      • Found him outside
      • [email_address]
  • Outline
    • Web services basics
    • The past, the present, the future
    • Client testing
    • Web method enumeration
    • XML port scanning
    • Structured testing framework
  • Web Services Essentials
    • XML-based remote procedure call
    • Simple Object Access Protocol (SOAP)
    • Web Services Description Language (WSDL)
    • Multiple transport bindings
      • HTTP, SMTP, FTP etc.
    • Interoperable, heterogeneous, magical !
    • “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“
  • Why Test Web Services?
    • High enterprise take-up in high value projects
      • Authentication services
      • Supply chain integration (B2B)
      • Exposing legacy systems
      • External APIs
    • Transactions and critical business functions
    • Web services will become increasingly widespread
  • New Dog, Old Tricks
    • Web services share vulnerabilities with traditional distributed technologies
      • Lots of the same attacks apply but with better structure (XML)
    • Web services platforms make it “too easy”
      • Code web services as a traditional object
      • Platform automagically turns it into a service
      • Minimal (if any) security
  • Client Testing
    • Web services security testing tends to focus on the web service itself
      • Clients are most often custom made
      • These can also be vulnerable
    • Clients are where the users are at
      • Users are the weakest link
    • Own the client and you can attack the users
  • Old Client Tricks
    • Similar to JavaScript attacks in web apps
      • Target the browser not the server
    • Large client/server software houses have learnt to look at the client
      • Internet Explorer
      • Real Player
    • Web services clients get overlooked
  • Client Attacks
    • Evil twin
      • DNS hacking
      • ARP poisoning
      • Hard to execute blind, possession of the client helps
    • Testing
      • Consume WSDL and become the web service
      • Once client talks to cloned web service, fuzz outputs and analyse client app response
      • Thorough logging must exist
  • Web Method Enumeration
    • WSDL may not describe all allowed operations
      • Can be manually modified
      • Programmers love hidden backdoors
    • We would like to be able to find the secrets
      • Hidden administration interfaces or functions
      • Test or debug functions
      • Anything else we’re not supposed to get to
  • Web Method Search
    • Perform a dictionary attack on web method names in a web service
    • Typically in the form of <verb><noun>
      • GetToken
      • AuthenticateUser
      • SetPassword
      • CreateAccount
    • Create or use ready-made verb and noun lists
  • Calling Web Methods
    • POST http://target.com/ HTTP/1.1
    • SOAPAction: http://target.com/ webMethodName
    • Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?>
    • <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;>
    • <soap:Body>
    • < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName >
    • </soap:Body>
    • </soap:Envelope>
  • Analyse Responses
    • Test with each verb/noun combination
    • Analyse response of the web service
    • Can determine if the tested method exists
      • Combination exists
        • Successful call
        • Missing or incorrect parameter errors
        • Illegal argument or null reference errors
      • Combination does not exist
        • Operation not defined errors
        • No such operation or method
        • Bad SOAP action
  • Web Method Searching (For Bugs?)
    • No such operation 'get' at
    • org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at
    • org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at
    • coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at
    • org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at
    • org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at
    • org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at
    • org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at
    • org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at
    • org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at
    • ...
    • coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at
    • jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at
    • jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
    • jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at
    • jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at
    • jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at
    • jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at
    • jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at
    • jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at
    • jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
  • Web Method Searching (For Bugs?)
    • DirectoryException: cannot automatically create subdirectory http: at
    • <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result>
    • <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96)
    • <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring
    • SQL syntax errors
  • Web Method Search Tool
    • Automated execution of dictionary attack with supplied wordlists
    • Analysis of responses against configurable response elements
      • Results may match multiple matters
      • Supports multiple weightings
  • Web Method Search Tool
    • Demonstration
      • http://www.sift.com.au/73/0/tools.htm
  • Workarounds and Mitigating Strategies
    • Security through obscurity does not work
      • Do not keep web methods secret because they will not remain secret
    • Input Validation
  • XML Port Scanning
    • Everyone loves XML
      • Has become the standard for information exchange
    • Ubiquitous support by all vendors and platforms
    • Firewalls block most traffic at the perimeter
      • Except maybe 80 and 443
    • Can we get behind the firewall to scan?
      • Maybe if we ask nicely
  • Traditional Port Scan
  • Document Type Definition
    • Allows you to define the valid elements of an XML document
    • Can dynamically build a DTD using references to external DTD definitions
    • Can define external entities that can be used within the XML document
  • XML Parser Abuse
    • Abuse the ability for XML parsers to dereference external sources
    • Use DTD elements to get the parser to initiate connections on our behalf
    • The following will cause the parser to attempt a connection to TCP port 22 on
      • <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;;>]>
      • <scan>&test;</scan>
  • Analyse Responses
    • We can infer the result of the attempted connection from the XML parser response
      • Closed ports result in a connection refused error
      • Open ports that respond to a HTTP request result in other errors or no error at all
      • Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout
    • Can only scan one port per XML document
    • Cycle through all target ports and systems
  • Applicability
    • This attack can be launched against XML endpoints
    • Cannot be used directly against SOAP
      • SOAP explicitly disallows DTD
    • Potential targets
      • AJAX APIs
      • XML document inputs
      • Encoded XML within SOAP parameters
  • Impacts
    • Port scanning of systems in your DMZ
    • Effectively transports the scanning to the parser
      • You can see whatever the XML parser can see
    • Firewalls won’t help you
      • XML is valid traffic
      • SSL protects attack traffic
  • XML Port Scan
  • XML Port Scanning
    • Demonstration
  • Workarounds and Mitigating Strategies
    • Disable external entity elements
      • Or define allowed external elements
    • Prohibit DTDs
    • Exception handling that does not return error messages or details
      • Still allows timeouts to be detected
        • So some open ports can be detected
        • Closed ports return quickly
  • Structured Testing
    • Web services are popular
      • So is testing their security
    • However, no structured framework exists
      • i.e. no OWASP (although some OWASP projects touch on web services)
    • Security testing must be structured to be useful
  • Structured Testing Framework
    • Threat Modelling
    • Scoping
    • Test Planning
    • Test Execution
    • Reporting
  • Testing Categories
    • Information Gathering
    • Fuzzing
    • Injection
    • Confidentiality & Integrity
    • Logging
    • Logic Flaws
    • Authentication & Authorisation
    • Availability
  • Questions?
    • ?
  • Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06