• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
AppSec 2007 - .NET Web Services Hacking

AppSec 2007 - .NET Web Services Hacking






Total Views
Views on SlideShare
Embed Views



12 Embeds 2,668

http://www.blueinfy.com 2131
http://blueinfy.com 410
http://shreeraj.blogspot.com 54
http://www.blueinfy.com. 36
http://websecurity.com.ua 10
http://shreeraj.blogspot.in 10
http://translate.googleusercontent.com 7
http://www.slideshare.net 5
http://localhost 2
http://shreeraj.blogspot.tw 1
http://www.shreeraj.blogspot.in 1
http://shreeraj.blogspot.de 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    AppSec 2007 - .NET Web Services Hacking AppSec 2007 - .NET Web Services Hacking Presentation Transcript

    • .NET Web Services Hacking – Scan, Attacks and Defense Shreeraj Shah Founder & Director, Blueinfy [email_address] 91+987-902-7018
    • Who am I?
      • Founder & Director
        • Blueinfy Solutions Pvt. Ltd. (Brief)
      • Past experience
        • Net Square, Chase, IBM & Foundstone
      • Interest
        • Web security research
      • Published research
        • Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
        • Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, wsChess etc.
        • Advisories - .Net, Java servers etc.
      • Books (Author)
        • Hacking Web Services (Thomson 2006)
        • Web Hacking (AWL 2003)
        • Web 2.0 Security (Work in progress)
      http://shreeraj.blogspot.com [email_address] Tools – http://www.blueinfy.com/tools.html
    • Agenda
      • Web Services in an era of Web 2.0
      • .NET Web Services Assessment Methodology
        • Footprinting and Discovery
        • Enumeration, Profiling and Fingerprinting
        • Attack Vectors
        • Scanning and Fuzzing
      • .NET Web Services Defense Methodology
        • Code Scanning & Secure Coding
        • Web Services Firewall (Content Filtering)
      • Conclusion
    • Web Services on the rise with Web 2.0
      • 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey)
      • By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner)
      • 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)
    • Web Services and Web 2.0 HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Local Application Database Authentication Internet Weather News Documents Emails Bank/Trade RSS feeds Web Services
    • Widget DOM HTML/CSS JavaScript SOAP XML-RPC JSON XML Open APIs SaaS Services REST Browser Protocols Consuming Web Services Ajax Flash / RIA JSON-RPC Structures Server-Side HTTP(S)
    • Methodology Footprinting & Discovery Enumeration & Profiling Vulnerability Detection Code / Config Scanning Web Services Firewall Secure Coding Insecure Web Services Secure Web Services Blackbox Whitebox Defense & Countermeasure
    • Footprinting and Discovery
      • Objective: Discovering Web Services running on application domain.
      • Methods
        • Primary discovery
          • Crawling and spidering
          • Script analysis and page scrubbing
          • Traffic analysis
        • Secondary discovery
          • Search engine queries
          • UDDI scanning
    • Primary Discovery
      • Crawling the application and mapping file extensions and directory structures, like “.asmx”
      • Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services.
      • Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.
    • Primary Discovery - Demos
      • Page scanning with grep – Look in JavaScripts for URLs, Paths etc.
      • Crawling – Simple!
      • Scanning for Atlas references – Framework creates stubs and proxy. – scanweb2.0/scanatlas
      • Urlgrep can be used as well.
    • Secondary Discovery
      • Searching UDDI server for Web Services running on particular domain.
        • Three tactics for it – business, services or tModel.
      • Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype”
        • Look for “asmx”
      • wsScanner – Discovery!
    • Enumerating and Profiling
      • Fingerprinting .Net framework and Client side technologies – Dojo or Atlas …
      • Scanning WSDL
        • Looking for Methods
        • Collecting In/Out parameters
        • Security implementations
        • Binding points
        • Method signature mapping
    • Risk - In transit
      • In transit Sniffing or Spoofing
      • WS-Routing security concern
      • Replay attacks
    • Risk - Web services Engine
      • Buffer overflow
      • XML parsing attacks
      • Spoiling Schema
      • Complex or Recursive structure as payload
      • Denial of services
      • Large payload
    • Web services Deployment - Risk
      • Fault code leaks
      • Permissions & Access issues
      • Poor policies
      • Customized error leakage
      • Authentication and Certification
    • Web services User code - Risk
      • Parameter tampering
      • WSDL probing
      • SQL/LDAP/XPATH/OS command injection
      • Virus/Spyware/Malware injection
      • Bruteforce
      • Data type mismatch
      • Content spoofing
      • Session tampering
      • Format string
      • Information leakage
      • Authorization
    • Scanning strategies
      • Manual invocation and response analysis.
      • Dynamic proxy creation and scanning.
      • Auto auditing for various vectors.
      • Fuzzing Web Services streams – XML or JSON
      • Response analysis is the key
        • Look for fault code nodes
        • Enumerating fault strings
        • Dissecting XML message and finding bits
        • Hidden error messages in JSON
    • A1 - Cross Site Scripting (XSS)
      • XSS is possible through Web Services.
      • It would be DOM based XSS via eval().
      • JSON-RPC based stream coming in the browser and get injected into DOM.
      • Source of stream can be of third party and Un-trusted.
      • XML streams coming in the browser and can cause XSS via document.write call.
    • A2 - Injection Flaws
      • Web Services methods are consuming parameters coming from end users.
      • It is possible to inject malicious characters into the stream.
      • It can break Web Services code and send faultsting back to an attacker
      • Various injections possible – SQL and XPATH
    • A3 - Malicious File Execution
      • Malicious command can be injected through the parameter.
      • WS supports attachments as well and that can lead to uploading a file.
      • This can give remote command execution capability to the attacker.
    • A4 - Insecure Direct Object Reference
      • Injecting characters to break file system sequences.
      • Faultcode spits out internal information if not protected.
      • Customized error shows the file refernces.
      • Access to internal file and full traversal to directories
      • Inspecting methods and parameters in the profile stage can help.
    • A5 - Cross Site Request Forgery (CSRF)
      • CSRF with XML streams
      • XML-RPC or SOAP based request can be generated from browsers.
      • Splitting form and XML injection is possible – interesting trick.
      • If Content-Type is not validated on the server then it can cause a potential CSRF.
      • XForms usage in browser can produce XML requests to attack CSRF.
    • A6 - Information Leakage and Improper Error Handling
      • SOAP based Web Services throws faultcode and faultstrings back to the client.
      • Information can be embedded in it.
      • It try/catch is not well implemented then default error from .NET framework.
      • Published vulnerabilities with leakage information providing references to file, ldap, etc.
    • A7 - Broken Authentication and Session Management
      • Web Services are having session management binding.
      • It is possible to have methods supporting session in .NET
      • Session identifier disclosure can lead to hijacking of Web Services
      • SOAP message can be bruteforce as well – poor passwords and multiple trial
      • WS-Security can be used around it
    • A8/A9 - Insecure Cryptographic and Communication
      • Implementation of WSE security
      • Web Services traffic not going over SSL
      • XML-Security or nodes encryption – if cracked or decrypt
      • Sessions are established on the tokens, goes over wire in clear text
      • Analysis needs to be done in the case of mashup and API calls.
      • Several applications and widgets are making backend API calls in clear text (user/pass)
    • A10 - Failure to Restrict URL Access
      • In Web Services instead of URL – methods.
      • WSDL scanning and disclosures can weaken the Services.
      • Some internal methods are out in public.
      • Admin APIs can be accessed.
      • These internal methods can be used to attack Web Services.
    • Code Analysis for Web Services
      • Scanning the code base.
      • Identifying linkages.
      • Method signatures and inputs.
      • Looking for various patterns for SQL, LDAP, XPATH, File access etc.
      • Checking validation on them.
      • Code walking and tracing the base - Key
      • Regular firewall will not work
      • Content filtering on HTTP will not work either since it is SOAP over HTTP/HTTPS
      • SOAP level filtering and monitoring would require
      • ISAPI level filtering is essential
      • SOAP content filtering through IHTTPModule
      Code filtering with IHTTPModule
    • IIS Web Server HTTP Stack .Net Web Services IIS Web Server web2wall Web Services Client SOAP Envelope Reject Rules for SOAP Code filtering with IHTTPModule
    • .Net Web Services .asmx file IIS web server web2wall Web Services Client SOAP Input Envelope <soap:Body soap:encodingStyle=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;> <q1:getInput xmlns:q1=&quot;http://DefaultNamespace&quot;> <id xsi:type=&quot;xsd:string&quot;>12123</id> </q1:getInput> </soap:Body> DB <id xsi:type=&quot;xsd:string&quot;>12123</id> id=12123 Bal=$2500 <ns1:getInputReturn xsi:type=&quot;xsd:string&quot;> $2500 </ns1:getInputReturn> SOAP Output Envelope Code filtering with IHTTPModule
    • HTTP Stack for IIS Request IIS aspnet_isapi.dll HttpApplication HttpHandler HttpModule HttpModule HttpModule Response Web Application Resource Web Application Client 146
    • HTTP Stack HttpRuntime HttpApplicationFactory HttpApplication HttpHandlerFactory HttpContext IHttpModule Handler HttpRequest HttpResponse IHttpHandler 147
    • HTTP Stack for .Net HttpRuntime HttpApplicationFactory HttpApplication HttpHandlerFactory IHttpModule Handler Web Application Firewall & IDS 148
    • IHTTPModule for Web Services Firewall
      • Code walkthrough – Events and Hooks
      • Loading the DLL
      • Setting up the rules
      • Up and running!
      • Demo.
    • Conclusion
      • Web Services can be vulnerable to various attack vectors.
      • Footprinting and Discovery are start points.
      • Scanning and Auditing can help in finding holes.
      • Fuzzing is also important aspect.
      • Top 10 – OWASP, for Web Services
      • Scanning the code is equally important.
      • Web Services Firewall – Armoring the app.
    • .NET Web Services Hacking – Scan, Attacks and Defense Thanks!