Pentesting With Web Services in 2012


Published on

This will be a brief discussion on Pen Testing Web Services in 2012, though OWASP have testing guides which describes various methods and tools for performing black box and white box security testing on web services but they’re all outdated. The key points of the presentation will revolve around how to pen test web services, what are the pre-requisites, methodology, tools used, etc.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Pentesting With Web Services in 2012

  1. 1. PEN-TESTING WEB SERVICES IN 2012 Ishan Girdhar
  2. 2. Why Attack Web Services?  Secondary Attack Vector  Ability to pass controls in the application  Many developers don’t implement proper controls  Installed outside the protection within the web application  Assumed that only client for a web service is another application.
  3. 3. Web Services and OSI layers     Implemented by adding XML into layer 7 Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of SMTP. It’s a message envelope and you need to get a response.
  4. 4. Differences in Web Service Standards    Some Developer departure from XML based SOAP to RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods (GET,POST,PUT, DELETE) However:    Soap based services are complex for a reason! Many custom applications use them in enterprise applications Large Services still use SOAP:  Amazon EC2, PayPal, Microsoft Azure are few example.
  5. 5. The Web Service Threat Model         Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
  6. 6. Web Services State of the Union  There are issues with         Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment Basically, It’s all broken
  7. 7. Penetration testers don’t know what to do with web services     How do you scope? Do you even ask the right scoping questions? Where do you begin? How Do I test thing?  Automated v/s Manual Testing ?  Black v/s Grey v/s white box testing?
  8. 8. Why is the testing methodology broken?  OWASP Web Service Testing Guide v3     It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model   Testing focused on old technology   Examples: MiTM, Client Side Storage, Host Based Authentication Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to address unique web service requirements.
  9. 9. Current Tools   They Suck  Mostly Commercial Tools Available. (For Developers, very little security focus)   Very Little Automation    soupUI, WCF Storm, SOA Cleaner Tester’s time spend in configuring tool and getting them running, less hacking. Minimal Amount of re-usability. Multiple tools built from ground up    Missing features Missing functionality (payloads) Community Support?
  10. 10. Current Tools     What happened to Webscarab ? WS-Digger? No SSL? There are other tools but many are hard to configure or just don’t work properly. SOAP Messages written by Hand (THIS REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
  11. 11. Webscarab – Web Service Module
  12. 12. WSDigger
  13. 13. WSScanner
  14. 14. What are we using?  SoupUI combined with Burp Suite are Bomb.  Still   Could be better There are very good Burp Suite Plugins by Ken Johnson as well:
  15. 15. Screenshots of soupUI & Burp
  16. 16. Screenshots of soupUI & Burp
  17. 17. Screenshots of soupUI & Burp
  18. 18. Lack of testing Environment    Ok. Fine. I have understood how to test Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment .. Wait, what?
  19. 19. The SOAP Envelope Format
  20. 20. Web Services Fingerprinting  Google Hacking for exposed WSDLs  Filetype: asmx  Filetype:Jws  Filetype:WSDL   Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service management Interfaces
  21. 21. The Importance of Web Service Management Interfaces  If these interfaces are an attacker could:    How about weak and default password?    Control the system that has the web services deployed. Why bother even testing the web services at this point?? Most organizations this is their biggest risk Pass-the-Has Administration Interfaces    Axis2 SAP Business Objects 2010 Metasploit module created for this
  22. 22. Web Services Threat       Microsoft Silverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation) Services Attacker can directly interface with the web services.. Really no need for the client Security Depends on the configuration of the services!
  23. 23. New Web Service Attacks     by Andreas Flakenberg Catalogs most (if not all) attacks for modern SOAP and BPEL web services SOAP request to web services that provide content to the web app AJAx, Flash and Microsoft Silverlight add to the complexity.
  24. 24. New Advancements     Client Side applications like Microsoft Silverlight. Increased complexity with AJAX and flash implementations Multiple Web services being used within applications Organization exposing web services for mobile applications.
  25. 25. BPEL     WS-BPEL Web Service Business Execution Language (BPEL)r Separates the business process from the implementation logic Usually a white box approach is required to understand the business login fully.
  26. 26. Scoping a Web Service Pentest    Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:       What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full functionality? There Are MANY more questions. Our White has full list. 
  27. 27. Tools     soupUI Burp Ws-Attacker For dotnet web services:  WsKnight  Ws-digger
  28. 28. Further Resources  Real world web services testing for web hackers  By  Web Service Security Testing Framework  By  Joshua, Tom and Kevin (Blackhat USA 2011) Colin Wong and Daniel Grzelk Web Services Hacking And Hardening  Adam Vincent, Sr. Federal Solutions Architect
  29. 29. Questions … Presented by: Ishan Girdhar Infosec Consultant Twitter: ishan_girdhar