Web Services Security

3,672
-1

Published on

Daniel Grzelak / Colin Wong

Published in: Technology
2 Comments
10 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,672
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
2
Likes
10
Embeds 0
No embeds

No notes for slide

Web Services Security

  1. 1. Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06
  2. 2. About Us <ul><li>SIFT </li></ul><ul><ul><li>Independent information security services </li></ul></ul><ul><ul><li>http://ww.sift.com.au/ </li></ul></ul><ul><li>Daniel Grzelak </li></ul><ul><ul><li>Technical analyst </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Colin Wong </li></ul><ul><ul><li>Found him outside </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
  3. 3. Outline <ul><li>Web services basics </li></ul><ul><li>The past, the present, the future </li></ul><ul><li>Client testing </li></ul><ul><li>Web method enumeration </li></ul><ul><li>XML port scanning </li></ul><ul><li>Structured testing framework </li></ul>
  4. 4. Web Services Essentials <ul><li>XML-based remote procedure call </li></ul><ul><li>Simple Object Access Protocol (SOAP) </li></ul><ul><li>Web Services Description Language (WSDL) </li></ul><ul><li>Multiple transport bindings </li></ul><ul><ul><li>HTTP, SMTP, FTP etc. </li></ul></ul><ul><li>Interoperable, heterogeneous, magical ! </li></ul><ul><li>“ Oh yeah, aight. Aight, I put on my robe and wizard hat.“ </li></ul>
  5. 5. Why Test Web Services? <ul><li>High enterprise take-up in high value projects </li></ul><ul><ul><li>Authentication services </li></ul></ul><ul><ul><li>Supply chain integration (B2B) </li></ul></ul><ul><ul><li>Exposing legacy systems </li></ul></ul><ul><ul><li>External APIs </li></ul></ul><ul><li>Transactions and critical business functions </li></ul><ul><li>Web services will become increasingly widespread </li></ul>
  6. 6. New Dog, Old Tricks <ul><li>Web services share vulnerabilities with traditional distributed technologies </li></ul><ul><ul><li>Lots of the same attacks apply but with better structure (XML) </li></ul></ul><ul><li>Web services platforms make it “too easy” </li></ul><ul><ul><li>Code web services as a traditional object </li></ul></ul><ul><ul><li>Platform automagically turns it into a service </li></ul></ul><ul><ul><li>Minimal (if any) security </li></ul></ul>
  7. 7. Client Testing <ul><li>Web services security testing tends to focus on the web service itself </li></ul><ul><ul><li>Clients are most often custom made </li></ul></ul><ul><ul><li>These can also be vulnerable </li></ul></ul><ul><li>Clients are where the users are at </li></ul><ul><ul><li>Users are the weakest link </li></ul></ul><ul><li>Own the client and you can attack the users </li></ul>
  8. 8. Old Client Tricks <ul><li>Similar to JavaScript attacks in web apps </li></ul><ul><ul><li>Target the browser not the server </li></ul></ul><ul><li>Large client/server software houses have learnt to look at the client </li></ul><ul><ul><li>Internet Explorer </li></ul></ul><ul><ul><li>Real Player </li></ul></ul><ul><li>Web services clients get overlooked </li></ul>
  9. 9. Client Attacks <ul><li>Evil twin </li></ul><ul><ul><li>DNS hacking </li></ul></ul><ul><ul><li>ARP poisoning </li></ul></ul><ul><ul><li>Hard to execute blind, possession of the client helps </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Consume WSDL and become the web service </li></ul></ul><ul><ul><li>Once client talks to cloned web service, fuzz outputs and analyse client app response </li></ul></ul><ul><ul><li>Thorough logging must exist </li></ul></ul>
  10. 10. Web Method Enumeration <ul><li>WSDL may not describe all allowed operations </li></ul><ul><ul><li>Can be manually modified </li></ul></ul><ul><ul><li>Programmers love hidden backdoors </li></ul></ul><ul><li>We would like to be able to find the secrets </li></ul><ul><ul><li>Hidden administration interfaces or functions </li></ul></ul><ul><ul><li>Test or debug functions </li></ul></ul><ul><ul><li>Anything else we’re not supposed to get to </li></ul></ul>
  11. 11. Web Method Search <ul><li>Perform a dictionary attack on web method names in a web service </li></ul><ul><li>Typically in the form of <verb><noun> </li></ul><ul><ul><li>GetToken </li></ul></ul><ul><ul><li>AuthenticateUser </li></ul></ul><ul><ul><li>SetPassword </li></ul></ul><ul><ul><li>CreateAccount </li></ul></ul><ul><li>Create or use ready-made verb and noun lists </li></ul>
  12. 12. Calling Web Methods <ul><li>POST http://target.com/ HTTP/1.1 </li></ul><ul><li>SOAPAction: http://target.com/ webMethodName </li></ul><ul><li>Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> </li></ul><ul><li><soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> </li></ul><ul><li><soap:Body> </li></ul><ul><li>< webMethodName xmlns=&quot;tns&quot;>a</ webMethodName > </li></ul><ul><li></soap:Body> </li></ul><ul><li></soap:Envelope> </li></ul>
  13. 13. Analyse Responses <ul><li>Test with each verb/noun combination </li></ul><ul><li>Analyse response of the web service </li></ul><ul><li>Can determine if the tested method exists </li></ul><ul><ul><li>Combination exists </li></ul></ul><ul><ul><ul><li>Successful call </li></ul></ul></ul><ul><ul><ul><li>Missing or incorrect parameter errors </li></ul></ul></ul><ul><ul><ul><li>Illegal argument or null reference errors </li></ul></ul></ul><ul><ul><li>Combination does not exist </li></ul></ul><ul><ul><ul><li>Operation not defined errors </li></ul></ul></ul><ul><ul><ul><li>No such operation or method </li></ul></ul></ul><ul><ul><ul><li>Bad SOAP action </li></ul></ul></ul>
  14. 14. Web Method Searching (For Bugs?) <ul><li>No such operation 'get' at </li></ul><ul><li>org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at </li></ul><ul><li>org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at </li></ul><ul><li>coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at </li></ul><ul><li>org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at </li></ul><ul><li>org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at </li></ul><ul><li>org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at </li></ul><ul><li>org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at </li></ul><ul><li>org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at </li></ul><ul><li>org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at </li></ul><ul><li>... </li></ul><ul><li>coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at </li></ul><ul><li>jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at </li></ul><ul><li>jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at </li></ul><ul><li>jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at </li></ul><ul><li>jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at </li></ul><ul><li>jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at </li></ul><ul><li>jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at </li></ul><ul><li>jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at </li></ul><ul><li>jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at </li></ul><ul><li>jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) </li></ul>
  15. 15. Web Method Searching (For Bugs?) <ul><li>DirectoryException: cannot automatically create subdirectory http: at </li></ul><ul><li><result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result> </li></ul><ul><li><b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) </li></ul><ul><li><faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring </li></ul><ul><li>SQL syntax errors </li></ul>
  16. 16. Web Method Search Tool <ul><li>Automated execution of dictionary attack with supplied wordlists </li></ul><ul><li>Analysis of responses against configurable response elements </li></ul><ul><ul><li>Results may match multiple matters </li></ul></ul><ul><ul><li>Supports multiple weightings </li></ul></ul>
  17. 17. Web Method Search Tool <ul><li>Demonstration </li></ul><ul><ul><li>http://www.sift.com.au/73/0/tools.htm </li></ul></ul>
  18. 18. Workarounds and Mitigating Strategies <ul><li>Security through obscurity does not work </li></ul><ul><ul><li>Do not keep web methods secret because they will not remain secret </li></ul></ul><ul><li>Input Validation </li></ul>
  19. 19. XML Port Scanning <ul><li>Everyone loves XML </li></ul><ul><ul><li>Has become the standard for information exchange </li></ul></ul><ul><li>Ubiquitous support by all vendors and platforms </li></ul><ul><li>Firewalls block most traffic at the perimeter </li></ul><ul><ul><li>Except maybe 80 and 443 </li></ul></ul><ul><li>Can we get behind the firewall to scan? </li></ul><ul><ul><li>Maybe if we ask nicely </li></ul></ul>
  20. 20. Traditional Port Scan
  21. 21. Document Type Definition <ul><li>Allows you to define the valid elements of an XML document </li></ul><ul><li>Can dynamically build a DTD using references to external DTD definitions </li></ul><ul><li>Can define external entities that can be used within the XML document </li></ul>
  22. 22. XML Parser Abuse <ul><li>Abuse the ability for XML parsers to dereference external sources </li></ul><ul><li>Use DTD elements to get the parser to initiate connections on our behalf </li></ul><ul><li>The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 </li></ul><ul><ul><li><!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]> </li></ul></ul><ul><ul><li><scan>&test;</scan> </li></ul></ul>
  23. 23. Analyse Responses <ul><li>We can infer the result of the attempted connection from the XML parser response </li></ul><ul><ul><li>Closed ports result in a connection refused error </li></ul></ul><ul><ul><li>Open ports that respond to a HTTP request result in other errors or no error at all </li></ul></ul><ul><ul><li>Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout </li></ul></ul><ul><li>Can only scan one port per XML document </li></ul><ul><li>Cycle through all target ports and systems </li></ul>
  24. 24. Applicability <ul><li>This attack can be launched against XML endpoints </li></ul><ul><li>Cannot be used directly against SOAP </li></ul><ul><ul><li>SOAP explicitly disallows DTD </li></ul></ul><ul><li>Potential targets </li></ul><ul><ul><li>AJAX APIs </li></ul></ul><ul><ul><li>XML document inputs </li></ul></ul><ul><ul><li>Encoded XML within SOAP parameters </li></ul></ul>
  25. 25. Impacts <ul><li>Port scanning of systems in your DMZ </li></ul><ul><li>Effectively transports the scanning to the parser </li></ul><ul><ul><li>You can see whatever the XML parser can see </li></ul></ul><ul><li>Firewalls won’t help you </li></ul><ul><ul><li>XML is valid traffic </li></ul></ul><ul><ul><li>SSL protects attack traffic </li></ul></ul>
  26. 26. XML Port Scan
  27. 27. XML Port Scanning <ul><li>Demonstration </li></ul>
  28. 28. Workarounds and Mitigating Strategies <ul><li>Disable external entity elements </li></ul><ul><ul><li>Or define allowed external elements </li></ul></ul><ul><li>Prohibit DTDs </li></ul><ul><li>Exception handling that does not return error messages or details </li></ul><ul><ul><li>Still allows timeouts to be detected </li></ul></ul><ul><ul><ul><li>So some open ports can be detected </li></ul></ul></ul><ul><ul><ul><li>Closed ports return quickly </li></ul></ul></ul>
  29. 29. Structured Testing <ul><li>Web services are popular </li></ul><ul><ul><li>So is testing their security </li></ul></ul><ul><li>However, no structured framework exists </li></ul><ul><ul><li>i.e. no OWASP (although some OWASP projects touch on web services) </li></ul></ul><ul><li>Security testing must be structured to be useful </li></ul>
  30. 30. Structured Testing Framework <ul><li>Threat Modelling </li></ul><ul><li>Scoping </li></ul><ul><li>Test Planning </li></ul><ul><li>Test Execution </li></ul><ul><li>Reporting </li></ul>
  31. 31. Testing Categories <ul><li>Information Gathering </li></ul><ul><li>Fuzzing </li></ul><ul><li>Injection </li></ul><ul><li>Confidentiality & Integrity </li></ul><ul><li>Logging </li></ul><ul><li>Logic Flaws </li></ul><ul><li>Authentication & Authorisation </li></ul><ul><li>Availability </li></ul>
  32. 32. Questions? <ul><li>? </li></ul>
  33. 33. Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06

×