Overview• Intro [Service-Oriented Architecture, MS WCF]• Defining Web Service Threats• Overview of WCF Security Basics• Configuration - Starting Point and Ending Point• Bindings In Depth• Securing Transport Channel - Integrity and Auth.• Messages - What I Send is What You Get?• Few Code-Based WCF Security Best Practices• Outro [conclusion]
Intro• SOA in general (discovery, description, messaging) – UDDI XML Hierarchy – UDDI Discovery (automated scanning tools) – WSDL and XSD Descriptions – SOAP vs. REST XML Protocols• SOA Security Issues (ASMX, WCF, Java ...)• WCF (Indigo/2006)- .NET Web Service Technology• Endpoints (Transport & Bindings) – ABC (Address/Binding/Contract) – HTTP, TCP, named pipes, MSMQ ... – MEX – Metadata Exchange
Defining Web Service Threats• Attractive target • Open to the World (rare filtering access scheme) • Direct connection to core application • Direct connection to core data• Discovering and Attacking Web Services • WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702 – WSScanner • Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool• WCF Test Harness – flexible tool for quick service tests• Common WApp vulns: SQL injection, session theft, XML DoS ...• XML/SOAP Manipulation (abusing the protocol) – Eavesdropping Message Exchange – Message Protection Methods• Configuration Data Injection (tampering .conf)• Local/UDDI XML Processing attack
Configuration - Starting Point and Ending Point• Web.config start-up • Web-config encryption • section.SectionInformation.ProtectSection• <system.ServiceModel> • Services » Defining Service Endpoints • Bindings » Basic, WS, WSDual, NetTcp ... ... • Behaviors » <throttling> and other custom behaviors• <Credentials /> Stored in Config <credentials passwordFormat="Clear"> <user name="user1" password="pass1"/> </credentials>• Max Message Size ???? (avoid 2147483647)• Encrypting configuration files (CL tools, code-based...)
Bindings in Depth• System.ServiceModel.Channels.Binding class• Binding types and Security Modes – WSHttpBinding b = new WSHttpBinding(); b.Security.Mode = SecurityMode.?????: • Transport Security • Mixed-Mode Security • Message Security• Considering Scenarios for the right Bindings • Clients accessing through the Internet (wshttp) • Legacy clients (http) • Intranet (netTCP) • Local Machine Clients (netNamedPipeBinding) • Disconnected queued calls support (netMsmqBinding) • bidirectional communication support (wsDualHttp)
• System-Provided bindings – BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services) – WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols. – NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine. – NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints.• Custom Bindings – Meet Requirements of Your Service
Securing Transport Channel• SSL tunneling on WS transport channel• Choosing secure binding or SSL transport?? – More and more on security (end-to-end, part encrypt) – Performances on Message/Transport level – Combining Message and Transport security• Custom Binding and Custom Validator • public override void Validate(string uname, string pass) • <bindingname="CustomBinding“> <securityauthenticationMode="UserNameOverTransport“> </security>
Messages - What I Send is What You Get?• Message integrity check • Ability to detect and manage invalid data • Imposition of complete transactions • Rollbacks• [Service Behavior] attrib: Transaction Isolation - Serializable transaction – protection for consistent data• Hash calculation on message: xml/json messages (HMAC, SHA1..)• ETag (base64 encoding of the md5sum)• Distributed Transaction Controller – Single Transaction building • ‘Global’ Rollback (whole call chain rollback) – transactionFlow="true"
Few Code-Based WCF Security Best Practices• using() and try/finally keywords in WCF ?• Why to Avoid Them??? – IL almost identical – So, where is the problem!?!?• During Disposal the Channel is NEVER closed!• Control the catch of Exceptions• Use a global exception handler to catch unhandled exceptions• FaultContract • FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);
• CAS in WCF services – [assembly: AllowPartiallyTrustedCallers] – [PermissionSet(SecurityAction.Assert,Name = "FullTrust")] – Calling out from the Restricted client Environment • Security breach – bypass direct connection – PartialTrustClientBase<T> ?? – GAC on the client side? • Proxy Assembly Installation – Raw WCF Demands
• ChannelFactory class – Used in advanced scenarios – Creation of Multiple Channels for Communication • ChannelFactory<xx> myChannelFactory = new ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel(); – channelFactory.Credentials (username/password) – Avoid Creation of ChannelFactory on each page call (overhead)
• Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request – “ReplyTo” address• https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner
Outro [conclusion]• What have we remembered to make our WS more secure? – Best practice – combine technologies and techniques to get security on higher level!!! • Combine Smart Coding with Good Configuration• Test your WCF’s on various attack techniques• ServiceThrottlingBehavior class – MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max) • InstanceContextMode ServiceBehaviorAttribute PerCalls / Sessions – MaxConcurrentSessions (default = 10) [Per-channel]• Stay in touch with Recent Security Discoveries Related to Technologies you are using! • Platforms, OS services, dev technologies, transport/protocol technologies, encryption algorithms etc.
thank you for your attention questions and comments