• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures

on

  • 5,293 views

The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web ...

The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.

Statistics

Views

Total Views
5,293
Views on SlideShare
2,342
Embed Views
2,951

Actions

Likes
0
Downloads
65
Comments
0

7 Embeds 2,951

http://www.praetorian.com 2521
http://192.168.1.75 364
http://www.praee.com 31
http://localhost 19
http://www.praetorian.biz 12
http://translate.googleusercontent.com 2
http://praetorian.local 2
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Threat Modeling © 2009 Praetorian. All rights reserved. According to BSIMM all 9 organizations surveyed include security activities in the design phase; however, these are companies such as Microsoft, Google, Adobe, etc where a real and concerted efforts is being made in the way of software security. Most of the focus by organizations, vendors, and service providers is on backend security controls in the development and testing phases such as code reviews (static analysis) or application penetration tests (dynamic analysis). Odd considering the cost benefit analysis graph presented earlier
  • Web Service Security © 2009 Praetorian. All rights reserved. The first generation of Web applications was largely about delivering non-interactive content, i.e. publishing non-interactive HTML pages. For example, many applications simply operated in client/server mode and rendered HTML pages to send across the internet to browsers. The second generation of Web applications was about creating applications usable over the Web. E-commerce is an example; you can go to http://www.barnesandnoble.com/ select books, order them and pay for them. This second generation also includes a more scalable back-end (e.g. WinDNA architecture) and a richer UI (e.g. DHTML and ActiveX). However, useful though they may be, the second generation largely resulted in application islands on the Web. Yes, there are hyperlinks between sites, but for the most part, the actual applications at different sites do not interact. The third generation of Web application is using Web protocols and XML throughout to allow better integration between services on the Web. Protocols such as XML and SOAP allow you to create Web Services, enabling people and companies to easily create integrated appliabout cations.
  • Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
  • Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
  • Web Service Security © 2009 Praetorian. All rights reserved. The idea here is that the server on the bottom is using web services to communicate with disparate systems using a common language
  • Here the parameters in the SOAP envelope have been injected with SQL to bypass authentication by always returning true (I.e SELECT * from UserTable where username= ‘administrator’ and password=‘’ OR ‘1’=‘1’;
  • Error & Exception Handling Logging & Auditing
  • Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
  • Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
  • Web Service Security © 2009 Praetorian. All rights reserved. A high level overview of WS-Security. The important point here is that it sits on top of the standard web services architecture to provide security, reliability and transactions

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures Presentation Transcript

  • Web Services Security Nathan Sportsman Founder and Chief Executive Officer1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Agenda  Web Service Introduction  Web Service Vulnerabilities  Web Service Countermeasures2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Introduction3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • How Did We Get Here? SOAP / XML HTML HTML SOAP / XML 1st Generation 2nd Generation 3rd Generation Static HTML Web Applications Web Services4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Services Are  “…a software system designed to support interoperable machine-to-machine interaction over a network.”, W3C  Capable of connecting to external computing resources – Supply chain infrastructure – Outsourced computing infrastructure5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Services Primer Service Broker  Built on existing and emerging standards – HTTP, XML, SOAP, UDDI, WSDL, WS-*… UDDI  Capabilities – Loosely coupled – Language neutral WSDL WSDL – Platform and transport independent – Interoperability SOAP Client Service Provider6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Service Interoperability Example Embedded device Financial Transaction Gateway Billing Services C++ on Linux/ARM C on AIX/PowerPC Java on NT/X86 Web Service Web Service Web Service7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Service Vulnerabilities8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Attack Taxonomies  Spoofing  Tampering  Repudiation  Information Disclosure  Denial of Service  Escalation of Privileges9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Services Vulnerabilities  Existing and emerging vulnerabilities apply – Brute Force – Information Disclosure – SQL Injection – LDAP Injection – Session Hijacking – Denial of Service (DoS) – Buffer Overflows – Cross Site Scripting – XML Injection – XPATH Injection – WSDL Manipulation – DOS (Intensive XML load) – …10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • SQL Injection  Possible when user input provided through web service used in queries to backend database <?xml version=“1.0” encoding=“utf-8” standalone=“no” ?> <SOAP-ENV:Envelope xmlns:SOAPSDK1=“http://www.w3.org/2001/XMLSchema”xmlns:SOAP SDK2=“http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAPSDK3=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/> <SOAP-ENV:Body> <SOAPSDK4:MethodName xmlns:SOAPSDK4=“http://urltoapp/…”> <SOAPSDK4:username>administrator</SOAPSDK4:username> <SOAPSDK4:password>’ OR ‘1’=‘1</SOAPSDK4:password> </SOAP-ENV:Body> </SOAP-ENV:Envelope>11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Buffer Overflow  Buffer Overflows – Not as prevalent except on older legacy systems and embedded devices written in unmanaged code – Large string parameters extending beyond allocated memory – No bounds checking <SOAP-ENV:Envelope> <SOAP-ENV:Body> <parameter1> lkasdllkdlfa;jkia;refjeoinveroinanlekrngaerinrlgerinreglnag linealinrglanirnaocnilrncoraeincelrgfnerginegnoeingerongoer ingeg… </SOAP-ENV:Body> </SOAP-ENV:Envelope>12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • XML Injection  External input is not validated and passed in XML stream parsed by second-tier software  Alters XML structure by injecting malicious data  John Smith escalates privileges by changing his User ID from 100 to 0 <MyRec> <UserId>100</UserId> <Username>jsmith</Username><Uid>0</Uid><Username>jsmith</Username> </MyRec>13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • XPATH Injection  Similar to SQL injection attack  Information stored and retrieved from XML document instead of relational database //users/user[LoginID/text()= or 1=1 and password/text()= or 1=1]14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Denial of Service  XML parsing can be expensive • Extremely large / complex XML documents • Deeply nested tags • These can create extremely large memory footprints or utilize many CPU cycles … <SOAP-ENV:Body> <BuildNestedXMLResponse xmlns=http://someap”> <BuildNestedXMLResult> <XML 1> <XML 2> <XML 3> <XML 4/> </XML 3> </XML 2> </XML 1> </BuildNestedXMLResult> </BuildNestedXMLResponse> …15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Services Countermeasures16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Defense Taxonomies  Configuration Management  Authentication  Authorization  User & Session Management  Data Validation  Error & Exception Handling  Logging & Auditing  Data Protection (Storage & Transit)17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Configuration Management  Internet facing WSDLs can be found with Google hacking (filetype:wsdl inurl:wsdl)  Review WSDLs for dangerous or antiquated functions  Ensure hidden, debugging, or any non-production functions are removed before deployment  Make sure they are not recreated automatically18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Authentication & Authorization  Can be accomplished in various ways with various protocols  Username/password, Certificates, etc  Educate yourself on the characteristics of protocols available before deciding19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Session Management  Use proven methods to generate session IDs  Do not reinvent the wheel and attempt to create your own  Utilize transport encryption to prevent eavesdropping / modification of session data  Use transport and element encryption to prevent replay / injection attacks20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Data Validation  Validate and sanitize all input from external sources  Sanitize all output of potentially malicious characters in respect to the next tier (i.e. Database, XML stream, LDAP directory, etc.)  If possible, consider a default deny policy with a white list of allowed input21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Logging & Auditing  Consider using an existing logging framework  Centralize location of log files  Ensure logs provide enough information for non-repudiation of action  Do not log password, credit cards or other sensitive information22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Error & Exception Handling  Test for DoS conditions in QA/QC procedures  Define and enforce data file types and sizes  Check document complexity before handing to parser – XML “Firewall”, etc.  Use strict XML schema verification  Create custom error messages with minimal information to be returned by web services23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Data Protection (In Storage & Transit)  Two mechanisms for encryption, SSL and WS-Security  Disadvantages of WS-Security – Harder, more complex to implement (Easier to do wrong) – Larger attack surface (Attacker has a lot more to play with) vs. SSL with client certificates – Only explicitly encrypted / signed data are protected  Advantages of WS-Security – WS-Security offers end-to-end Security (Instead of point-to-point) – Transport agnostic – No longer an all or nothing approach – Less over head, especially in stateless web services (debatable)24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • SSL  Well understood and vetted technology  Provides the functionality needed for most web service deployments  Who is implementing SSL? – ISVs adding web service interface to their product (SSL) – Internet Companies exposing part of their service through web interface for consumption (SSL) – Internally distributed application previously using older technologies for inter-application communication (SSL) * By far majority of engagements, products, and web services we’ve seen implement SSL solution25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • WS-Security  Enhances SOAP – Provides a framework for message integrity and confidentiality – Token type-, Encryption scheme-, and Signature scheme-agnostic  Associates security tokens with messages  Message integrity provided by XML Digital Signatures in conjunction with security tokens  Message confidentiality provided by XML Encryption in conjunction with security tokens  Describes mechanism to encode binary security tokens – X.509 certificates, Kerberos, opaque encrypted keys  Who is implementing? – B2B application for company to company exchange26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • How WS-Security fits in the Web Service Stack Management Portals Extended Composition/Orchestration Capabilities Secure Reliable Reliable WS-Security Transactions Messaging Transaction Endpoint identification, Publish/Subscribe XML Schema, WSDL, UDDI, Attachments Foundation Transport XML, SOAP Invocation Description HTTP, HTTPS27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Misconceptions  Web services do not share some of the same vulnerabilities of web applications  WS-Security is all you need to solve security concerns within web services  XML firewalls and other technologies will protect against all WS attacks28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Integrate Secure Development Lifecycle  Security Requirements – Set requirements to meet security objectives  Threat Modeling – Identify issues at the time of design – Assist in other phases of the development life cycle  Code Review – Identify issues at the time of implementation – Static vs Dynamic Analysis – Manual and Automated Tools  Penetration Testing – Blackbox vs White vs Grey Box Testing – Manual and Automated Tools29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • Web Services Security Nathan Sportsman Founder and Chief Executive Officer30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured