The objective of this section is to use a Web services assessment methodology that is used in the field.
Search engines maintain a cache of all links collected from web sites. Search engines use their own crawling software to fetch links on Web services. Try this: To find web services running on the “amazon” domain, type: inurl:wsdl site:amazon.com
Objective: gather all possible information about Web services
One of the major sources of information: WSDL file
The objective of this step is to scan Web services and gather initial attack points. Web services are running with different resources. Each of these resources is linked together and a scanning exercise helps in collecting these resources. A WSDL file is a very important resource for Web services, and its scanning is therefore a very important exercise. WSDL is an XML document that serves two purposes: Defines how to access Web services Furnishes information about where to access these Web services In a nutshell, Web services specifies the location and operations of Web services. Any Web service client can fetch information from the WSDL and build specific requests.
WSDL has 4 main components (XML): Type element: used when defined data types are complex types. binding element: contains information about accessing Web services. Has two attributes within the tag name: any name and port binding. &lt;binding&gt; links to &lt;portType&gt; soap:binding element provides style and transport attribute information. e.g. http://schemas.xmlsoap.org/soap/http (reflects SOAP protocol over HTTP) style can be either rpc or document. soap:operation element is a mandatory attribute for certain operations. HTTP requests must be sent over a network using soapAction in the HTTP header. (Otherwise Web services would not respond.)
Service name: dvds4less Binding address: http://192.168.11.2/ws/dvds4less.asmx This information provides the location and its access position. All calls and Web-based API invoked will be handled at this location.
portType element: comparable to a class or module in C++ or Java. a class or module contains a set of methods that can be accessed. These methods are specified in the &lt;operation&gt; element. Operations and methods are actual entry points to Web services. portType presents the type of invoke supported. (SOAP) Sometimes, GET and POST are also supported. Operation represents the method name
message element: contains information about the name and type of parameter.
Web Services Hacking and Security
Web Services Hacking and
Recent analysis of Cloud App
• Enterprise Content Management – Cloud App
• Technologies & Components – APIs, OAuth, SAML,
SOAP, Ajax etc.
• Traditional Scanning – What to scan
• Hacking and Hands-On
– SQL injection over APIs
– XSS on Mobile interface
– Authorization bypass (Look at other’s content)
– Information leaks through JSON fuzzing
– Virtual Sand Box bypasses
– Mobile interface compromised
• Vulnerabilities in cloud infrastructures could allow
attackers to locate and eavesdrop on targeted virtual
machines (VMs) anywhere in the cloud.
• DDoS attack rains down on Amazon cloud
• Cross-VM side-channel attacks to extract information
from a target VM on the same machine.
• The use of virtualization by cloud service providers to
host virtual machines belonging to multiple
customers on a shared physical infrastructure is
opening up fresh data leak risks, a research report
What is common in all?
• All over Web and HTTP
• Web Security and Hacking is very relevant for
• Cloud = Web 2.0 + SOA + Something-Else
• Lot of hacks are already happening on Cloud
apps over HTTP
• Game is changing and becoming interesting …
• Web service - evolving as new attack point in
• Toolkits and Exploits are coming up
• Too many protocols and confusion
• Race for deployment – poor implementation
• Cases and attacks are growing with growth in business
User ControlledVendor ControlledIn TransitEnd Client
Web Services Engine
Web Services Deployment
Web Services Code
Web Services Risk
Web Services Defense
Internet DMZ Trusted
Web services evaluation
Discovery Public domain search
Manual Audit Auto Audit
• In transit Sniffing or Spoofing
• WS-Routing security concern
• Replay attacks
Risk - In transit
Risk - Web services Engine
• Buffer overflow
• XML parsing attacks
• Spoiling Schema
• Complex or Recursive structure as payload
• Denial of services
• Large payload
Web Service Search
• Search in the public domain
• Tool – Search Engines
• Google – An excellent tool
• Look for wsdl,asmx,jws etc.
• Filetype and allinurl are best friends
• Platform on which Web services are running
• Configuration and Structures
• File extensions
• Path discovery
Very useful information!
• Location can be obtained from UDDI
as well, if already published.
• WSDL location [ Access Point ]
.asmx – indicates
.Net server from MS
• Similarly, .jws – for Java web services
• /ws/ - in the path indicates web services
• MS-SOAPToolkit can be identified as well
C:> nc 192.168.11.2 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2004 18:48:20 GMT
Set-Cookie: ASPSESSIONIDSSSRQDRC=LMMPKHNAAOFDHMIHAODOJHCO; path=/
• Resource header throws up some information
C:> nc 192.168.11.2 80
HEAD /ws/dvds4less.asmx HTTP/1.0
HTTP/1.1 500 Internal Server Error
Date: Tue, 28 Sep 2004 18:50:09 GMT
Content-Type: text/html; charset=utf-8
• What is WSDL?
• What information can one enumerate from
• WSDL exposure: Threat or not?
• Web Services Definition Language
• Similar to IDL for remote calls used in CORBA or
other remote invoke methods.
• Contains detail of methods
• Types of I/O
• Parameters of methods
• It is an XML document with standards.
<port name="dvds4lessSoap" binding="s0:dvds4lessSoap">
Where is the call going to go?
This is where the service is listening.
How to access?
• Knowing WSDL profile – What next?
• Access web services
– see what goodies you can get
How to access SOAP?
• Simple Object Access Protocol
• Invoking objects on remote machine
• I/O with remote objects
• It is XML-based messaging
• Works over HTTP/HTTPS and on few other
• That is why firewall cannot block them.
• Attacks are easy and possible.
Parameter tampering & Fault code leakage
• Fault code of web services spit lot of information
about internal workings.
• This attack can fetch internal paths, database
• Fault code is part of SOAP envelope and this
helps an attacker to make logical deduction
<?xml version="1.0" encoding="utf-16"?>
<faultstring>Server was unable to process request. --> Could not find file
AV 3 - SQL injection
• SQL injection can be done using SOAP traffic.
• It is innovative way of identifying database
• One can leverage xp_cmdshell via SOAP.
• Back end database can be compromised using
<?xml version="1.0" encoding="utf-16"?>
<faultstring>Server was unable to process request. --> Cannot use
empty object or column names. Use a single space if necessary.</faultstring>
Indicates SQL Server
Place for SQL Injection
But … Code got executed
Got Admin via
AV 4 – XPATH injection
• XPATH is new way of querying XML documents.
• This attack works nicely on web services since
they use XML extensively.
• Developer’s loophole can be leveraged with an
• XPATH query crafting is next generation attack
XPATH Injection - Basics
• XPATH is a language defined to find information from
• As XPATH name suggests it indeed uses path to traverse
through nodes of XML document and look for specific
information from the document.
• XPATH provides expressions like slash (/), double slash
(//), dot(.), double dot (..), @, =, <, > etc. It helps in
traversing through XML document.
XPATH – Vulnerable Code
string fulltext = "";
string coString = "Provider=SQLOLEDB;Server=(local);database=order;User
SqlXmlCommand co = new SqlXmlCommand(coString);
co.CommandType = SqlXmlCommandType.Sql;
co.CommandText = "SELECT * FROM users for xml Auto";
XmlReader xr = co.ExecuteXmlReader();
fulltext = xr.ReadOuterXml();
XmlDocument doc = new XmlDocument();
string credential = "//users[@username='"+user+"' and @password='"+pass+"']";
XmlNodeList xmln = doc.SelectNodes(credential);
if(xmln.Count > 0)
Attacking XPATH point
• //users[@username='"+user+"' and @password='"+pass+"']";
• XPATH parsing can be leveraged by passing
following string ' or 1=1 or ''=‘
• This will always true on the first node and user can
get access as who ever is first user.
• //users[@username='' or 1=1 or ''='' and @password='any']
AV 6 – LDAP injection
• LDAP authentication in place
• Possible to manipulate LDAP queries
• May leads to enumeration OR manipulation
• Interesting attack vector
• Fault code leaks LDAP interface
AV 7 – File System access
• Identifying file system points
• Directory traversing & Access
• Leads to file access and source code exposure
• Lethal if found!
AV 7 – SOAP brute forcing
• SOAP envelope takes user & pass accounts.
• It is possible to bruteforce SOAP envelope and
look for specific responses.
• This is a possible attack which can get into the
• Analyzing SOAP response is key for this set of
AV 8 – Parameter overflow
• Adding large buffers to XML nodes
• Depending on code controls – It may fail in
• Breaking the application
• May compromise as well
• Traditional buffer overflow type attacks
AV 9 – Operating System access
• Point to OS
• Remote command execution is possible
• Either by “|” or “;”
• Attack is very much possible
• Leads to admin/root on the box…
AV 10 – Session hijacking
• Web services can maintain sessions
• Possible to reverse engineer session
• Cookie tempering is reality…
• Can be compared to traditional web
• External referencing – XML schema
• XSS attack
• In transit attacks – replay and spoofing
Defense 1: SOAP filtering
• Regular firewall will not work
• Content filtering on HTTP will not work either
since it is SOAP over HTTP/HTTPS
• SOAP level filtering and monitoring would
• ISAPI level filtering is essential
• SOAP content filtering – products or in-house
IIS Web Server
Rules for SOAP
Defense 1: SOAP filtering
Defense 2: WSDL hardening
• WSDL is major source of information
• Should not have any leakage
• Only provide necessary methods
• Invokes over SSL only
• WSDL hardening thoroughly
Defense 3: Authentication & Authorization
• WSDL access control
• Use of SAML
• Credentials – WS-Security
• Certificate analysis
• SOAP and XML filtering before access
Defense 4: Secure Coding
• Fault code management and Exception control
• Input validation
• SQL integration
• Levels of coding using different components
Defense 5: XML parsing
• Good XML parsing should be used
• .Net/J2EE – may have issues with XML parsing
• Buffer overflows using schema poisoning