Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp Forum Web Services Security


Published on

Published in: Education, Technology, Business

Owasp Forum Web Services Security

  1. 1. OWASP Top Ten Web Services Vulnerabilities Marco Morana OWASP Chapter Lead [email_address] Based upon Gunnar Peterson Presentation OWASP T10 Web Services Proposal OWASP USA 08 NYC Appsec Conference Cincinnati Chapter August 2009 Meeting
  2. 2. Meeting Agenda <ul><li>Video Presentation: Web Services OWASP Top Ten Proposal by from Gunnar Peterson </li></ul><ul><ul><li> </li></ul></ul><ul><li>Discussion Forum </li></ul><ul><ul><li>Summary Of OWASP Top Ten For Web Services </li></ul></ul><ul><ul><ul><li>Web Services Security Highlights </li></ul></ul></ul><ul><ul><ul><li>OWASP T10 Vulnerabilities </li></ul></ul></ul><ul><ul><ul><ul><li>Issues </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Countermeasures </li></ul></ul></ul></ul><ul><ul><li>Discussion Points: Q&A </li></ul></ul><ul><ul><li>OWASP References </li></ul></ul>
  3. 3. Web Services Security Highlights <ul><li>The security of web services and distributed architecture represents several challenges: </li></ul><ul><ul><li>Security of the perimeter is not enough </li></ul></ul><ul><ul><li>Data segregation does not separate good from evil </li></ul></ul><ul><ul><li>Security goal cannot be limited to CIA attributes </li></ul></ul><ul><ul><li>Location independence : authenticate in one place and authorize in another place </li></ul></ul><ul><ul><li>Interoperability across systems and technologies </li></ul></ul><ul><ul><li>Consistent policy enforcement </li></ul></ul><ul><ul><li>Secure email vs. tiered architecture </li></ul></ul><ul><ul><li>Security of the delivery channel and the intermediaries </li></ul></ul><ul><li>Design-time activity aimed at pointing out common security pitfalls and proper ways to implement security within design patterns </li></ul><ul><li>Originally a white paper – donated to OWASP by Security Compass </li></ul>
  4. 4. Web Services OWASP T1 Vulnerability <ul><li>Injection Attacks </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Larger attack surface and new targets for injection flaws: SQL injection, LDAP and XPATH/XQUERY, XSLT, HTML, XML, OS command injection </li></ul></ul></ul><ul><ul><ul><li>WS as gateway to inject data in backend services : mainframes, MQs, ESB, SAP </li></ul></ul></ul><ul><ul><ul><li>More attack vector opportunities: decoupling between web service requester and provider </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Determine the application attack surface and the entry points </li></ul></ul></ul><ul><ul><ul><li>Validate at each trust boundary (front end, middleware, backend) </li></ul></ul></ul><ul><ul><ul><li>Input validation strategy: encoding, sanitization , canonicalization </li></ul></ul></ul>
  5. 5. Web Services OWASP T2 Vulnerability <ul><li>Malicious file execution </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Web service processing can take un-trusted input to inject system and backend commands and exploit it for remote command execution, upload malware or cause a denial/degradation of service </li></ul></ul></ul><ul><ul><ul><li>DOS via file upload and SOAP interface can be abused to cause denial or degradation of services (overload the XML parser) </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Do not trust client supplied parameters for remote command execution, when uploading files, validate server side the file upload size, name, file path and the file extension/parameters </li></ul></ul></ul><ul><ul><ul><li>Validate XML size and XSD schema before processing </li></ul></ul></ul>
  6. 6. Web Services OWASP T3 Vulnerability <ul><li>Insecure Object Reference </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Abuse of object references lead to remote code execution </li></ul></ul></ul><ul><ul><ul><li>Failure to check data reference and URL parameters lead to remote root kit installation and compromise: Some cases banking applications use ACC# as PK that can be misused for SQL injection if is not validated </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Use encryption and signatures to prevent tampering of SOAP messages, validate references on the server side </li></ul></ul></ul><ul><ul><ul><li>Beware of REST: some IDE add a REST call in form of a GET that can be called without authorization: this need to be turned off. </li></ul></ul></ul>
  7. 7. Web Services OWASP T4 Vulnerability <ul><li>Information Leakage </li></ul><ul><ul><li>Issue highlight: </li></ul></ul><ul><ul><ul><li>Too much WS configuration information such as application type and methods used via WSDL readable to public, access to XSD and XML let the attacker know the data and the values to attack, the UDDI (the registry) can leak information such as addressing routing structure or behavior </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Remove WSDL files from web server </li></ul></ul></ul><ul><ul><ul><li>Disable the documentation protocols to prevent dynamic generation of WSDL </li></ul></ul></ul><ul><ul><ul><li>Capture exceptions that return minimal information to the users </li></ul></ul></ul>
  8. 8. Web Services OWASP T5 Vulnerability <ul><li>Broken Authentication And Weak Tokens </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Tokens non protected as well as assertions, flaws allow to hijack user admin accounts, bypass authorizations and allow for reply attacks. </li></ul></ul></ul><ul><ul><ul><li>Claim based (SAML) access control vs. RBAC exposes the application to new vulnerabilities </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Authentication via password digest, SAML and Kerberos tickets ,X509 certificates, Username and password in plaintext </li></ul></ul></ul><ul><ul><ul><li>SSL and message payload encryption for transit protection </li></ul></ul></ul><ul><ul><ul><li>Unique message ID, data stamp and nonce with each request to prevent message replay </li></ul></ul></ul><ul><ul><ul><li>Digital signature to prevent tampering </li></ul></ul></ul>
  9. 9. Web Services OWASP T6 Vulnerability <ul><li>Insecure Crypto Usage </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Not encrypting secrets and protecting keys </li></ul></ul></ul><ul><ul><ul><li>Use of weak crypto and non standard algorithms such as MD5 and RC3 and RC4 </li></ul></ul></ul><ul><ul><ul><li>Hard-coding keys </li></ul></ul></ul><ul><ul><ul><li>Misuse of XML encryption: signature tag with no signature value, homegrown encryption algorithms </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Protect secrets with encryption use secure key storage </li></ul></ul></ul><ul><ul><ul><li>Use standard secure cryptographic algorithms </li></ul></ul></ul><ul><ul><ul><li>Do not hardcode secrets </li></ul></ul></ul><ul><ul><ul><li>Do not use homegrown encryption implementations/schemes </li></ul></ul></ul><ul><ul><ul><li>Test your crypto implementation </li></ul></ul></ul>
  10. 10. Web Services OWASP T7 Vulnerability <ul><li>Insecure communications </li></ul><ul><ul><li>Issues highlights: </li></ul></ul><ul><ul><ul><li>Not using SSL exposes authentication, sensitive and session data and sensitive info. </li></ul></ul></ul><ul><ul><ul><li>Sniffing attacks : WS and SAML tokens can be sniffed in transit with no SSL that protects them </li></ul></ul></ul><ul><ul><ul><li>Timing and replay attacks are possible for unprotected session data </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Protect data in transit: SSL/IPsec </li></ul></ul></ul><ul><ul><ul><li>Protect XML documents/sections with XML encryptionValidate signatures properly (presence and who trusted it) </li></ul></ul></ul>
  11. 11. Web Services OWASP T8 Vulnerability <ul><li>Failure to restrict access </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>Failure to enforce WS method authentication </li></ul></ul></ul><ul><ul><ul><li>Some web service methods use MQ listeners with no authentication to call them , attackers can exploit the gateway to mainframes and messaging systems (e.g. ESB) </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Server to server and trusted authentication (SAML) across systems </li></ul></ul></ul><ul><ul><ul><li>Message level authentication (usr/pwd, kerberos, X509, SAML) </li></ul></ul></ul><ul><ul><ul><li>Application level auth (role-based authorization for methods) </li></ul></ul></ul>
  12. 12. Web Services OWASP T9 Vulnerability (New proposal) <ul><li>Broken XML </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>WS rely on XML document binding based upon data parameters encoded and parsed that can be injected </li></ul></ul></ul><ul><ul><ul><li>Failure to validate parameters and well formed XML and XSD can lead to DOS </li></ul></ul></ul><ul><ul><ul><li>Recursive XMLs (DTD based) can lead to DOS </li></ul></ul></ul><ul><ul><ul><li>Injected CDATA elements (not interpreted) can fail the parser </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Specify the XML size and schema via DTD for old SOAP (do not use DTD not allowed in current spec!) and XSD </li></ul></ul></ul><ul><ul><ul><li>Do not use old Xerces parser (prone to DOS) </li></ul></ul></ul><ul><ul><ul><li>Validate all input and encode output </li></ul></ul></ul>
  13. 13. Web Services OWASP T10 Vulnerability (New proposal) <ul><li>Identity Misuse </li></ul><ul><ul><li>Issue highlights: </li></ul></ul><ul><ul><ul><li>The WS identity is the basis for WS claims and assertions for routing decisions ( to pass to different back end services), business logic and access control (authentication) </li></ul></ul></ul><ul><ul><ul><li>A mis-configured identity claim can be misused : A malicious service provider can have access to different services used by Google (token sent back was valid for any Google service) and other identity providers. </li></ul></ul></ul><ul><ul><li>Countermeasures: </li></ul></ul><ul><ul><ul><li>Protect the identity for misuse </li></ul></ul></ul><ul><ul><ul><li>Map identity to resources used for access control decisions </li></ul></ul></ul><ul><ul><ul><li>Enforce SAML SCOPE assertions </li></ul></ul></ul>
  14. 14. Discussion Forum: Q & A <ul><li>Are web services based architectures (SOA, SaaS) used in your organization ? </li></ul><ul><ul><li>Which assessment processes, guidelines, testing tools are being deployed for securing web services? </li></ul></ul><ul><li>Which challenges you faced in deploying web services for your organization ? </li></ul><ul><ul><li>Integration with backend services: MQ/ESB ? </li></ul></ul><ul><ul><li>Trusted authentication: Kerberos-SSO, SAML ? </li></ul></ul><ul><li>Can cloud computing and web services be made secure ? </li></ul><ul><ul><li>Do WS-Security, SAML buy security? </li></ul></ul>
  15. 15. Further OWASP Web Services References <ul><li>G uide to Building Secure Web Applications and Web Services (Development Guide) </li></ul><ul><ul><li> </li></ul></ul><ul><li>Web Services Portal </li></ul><ul><ul><li> </li></ul></ul><ul><li>Web Services Security Project </li></ul><ul><ul><li> </li></ul></ul><ul><li>Testing Guide Web Service Security Test Cases </li></ul><ul><ul><li> </li></ul></ul>