Web Service Security


Published on

Web Service Security by Nabarun Sengupta @ null Pune Meet, March, 2011

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The Windows Communication Foundation (or WCF) is an application programming interface (API) in the .NET Framework for building connected, service-oriented applications.
  • Reference: http://msdn.microsoft.com/en-us/library/aa480155.aspx Trace viewer is a utility to easily navigate through WCF service call log files. Trace viewer provides details about different parameters of WCF servoce call for ex: request, response, exception etc. Config editor allows to configure different options in a config file for WCF services using UI.
  • Difference between asmx and wcf http://www.aspdotnetarchitect.com/post/WCF-versus-ASMX-services.aspx
  • Service Contract : Describes which operation the client can perform on the– This attribute is used to define the method inside the interface. service. There are two types of Service Contracts. The Service contract – The attribute is used to define the interface. Operation Contract Data Contract : Which data types are passed to and fro from the service. WCF defines implicit contracts for built in types such as int and string, but we can easily define explicit opt – in data contracts of custom types. There are 2 types of Data Contract. Data Contract- attribute used to define the class. Data Member – attribute used to define the properties If a DataMember attributes are not specified for a properties in the class, that property can’t be passed to-from web service Fault Contracts – Define which errors are raised by the service, and how the service handles and propagates errors to its client. Message Contracts – Allow the service to interact directly with the messages. Message contract can be typed or untyped.
  • * If a developer is using VSTS as his/her development platform by default the web.config template that is generated has the metadata enabled in it by default. It even tells you to avoid exposing the metadata.
  • WCF publishes MEX with a /MEX request. This can be done by a POST request with a /MEX endpoint. WSDiscovery which released with version 4 also helps in discovering the endpoints. This works like all the services that become up or down broadcast over UDP with a hello or bye message. WSDiscovery intercepts these messages to identify whether the servoces are up or not. There are 2 communication mode for this :Adhoc and Managed mode. The difference is in the managed mode there is a central repository which keeps a log of all these helo and bye UDP requests
  • Web Service Security

    1. 1. Source Boston 2010
    2. 2. <ul><li>Member of security community – Null </li></ul><ul><li>I am working at Mindtree Limited </li></ul><ul><li>Champion of Security Square </li></ul><ul><li>Like Hacking  </li></ul><ul><li>Executed 6 security projects </li></ul><ul><li>Tested web services for ASMX, Java web service and WCF. </li></ul><ul><li>Currently working on: </li></ul><ul><li>Web services Security Testing </li></ul>
    3. 3. <ul><li>Web Services Stack </li></ul><ul><li>WCF Story </li></ul><ul><li>WCF Overview </li></ul><ul><li>ASP.NET v/s WCF </li></ul><ul><li>What is New in WCF? </li></ul><ul><li>ABC of WCF endpoints </li></ul><ul><li>WCF Attack- Reconnaissance </li></ul><ul><li>Obtaining Meta Data from WCF service </li></ul><ul><li>Manual Testing Utilities </li></ul>
    4. 5. <ul><li>Born in 2006, initially code named as Indigo </li></ul>
    5. 6. <ul><li>Replacement for traditional ASP .NET web services </li></ul><ul><li>WCF is a framework that Microsoft is encouraging developers for any kind of network communication. </li></ul><ul><li>It was introduced in .NET 3.0 </li></ul><ul><li>Bunch of different protocols and message formatting options. </li></ul><ul><li>Accordance to SOA principles to support distributed computing </li></ul>
    6. 7. ASP .NET web service WCF web service Solely made for building Web service Provides tools for use in any circumstances for s/w entities to communicate Support sending message via HTTP Support formats like HTTP, TCP, named pipes, Microsoft Message Queuing More rich facilities for deploying and managing applications Configuration system Addition to Config system, Config editor, Activity tracing, trace viewer, message logging, a vast no. of performance counters, support for Windows Management Instrumentation
    7. 10. <ul><li>WCF has an extension of .svc in comparison to the historically .asmx extension </li></ul><ul><li>WCF Services are exposed through Endpoints </li></ul><ul><li>Before attacking WCF, some pre-requisites that should be known are the ABC’s of WCF Web services: </li></ul><ul><ul><li>Address </li></ul></ul><ul><ul><li>Binding </li></ul></ul><ul><ul><li>Contract </li></ul></ul>
    8. 11. <ul><li>Every WCF Service has a Unique Address </li></ul><ul><ul><li>Transport Protocol </li></ul></ul><ul><ul><li>Location </li></ul></ul><ul><ul><li>Often use .svc file extension when hosted in IIS </li></ul></ul><ul><li>[transport]://[machine or domain][:optional port]/[optional uri] </li></ul>
    9. 12. <ul><li>“ What protocol can I use to talk to this service?” </li></ul><ul><li>Binding specify how a service communicate </li></ul><ul><ul><li>Transport Protocol </li></ul></ul><ul><ul><li>Encoding (Message Format) </li></ul></ul><ul><li>Customized or several out of box bindings </li></ul>
    10. 13. <ul><li>“ What can I do with this service?” </li></ul><ul><li>WCF Contracts specify what is communicated outside the world </li></ul><ul><li>4 types of Contracts </li></ul><ul><ul><li>Service: Operations that client can perform </li></ul></ul><ul><ul><li>Data: Define the data types passed by the service </li></ul></ul><ul><ul><li>Fault: Error handling and propagation </li></ul></ul><ul><ul><li>Message: Allows direct interaction with messages. </li></ul></ul>
    11. 14. <ul><li>Traditional use of WSDL (can be easily exposed through ?wsdl or /wsdl ) </li></ul><ul><li>Preferred mechanism for Metadata exchange (MEX) </li></ul><ul><li>Bad news- Secure approach is implemented in new WCF technologies </li></ul><ul><li>Good News- Most of the applications are built in VSTS * </li></ul>
    12. 15. <ul><ul><li>Both WSDL and MEX are enabled by default when generating WCF configuration in Visual Studio </li></ul></ul>
    13. 17. <ul><li>Note: MetaData not always published over SSL </li></ul><ul><ul><li>Default Visual Studio Template includes </li></ul></ul><ul><ul><li>But Not </li></ul></ul>
    14. 19. <ul><li>Leveraging MetaData for Manual Testing. </li></ul><ul><ul><li>WcfTestClient </li></ul></ul><ul><ul><ul><li>Ships with Visual Studio 2008+ </li></ul></ul></ul><ul><ul><ul><li>Automatically Parses WSDL or MEX </li></ul></ul></ul><ul><ul><ul><li>http://weblogs.asp.net/blogs/guillermo/Code/WcfTestClient.zip </li></ul></ul></ul><ul><ul><li>WCF Storm </li></ul></ul><ul><ul><ul><li>Supports most WCF bindings, including MC-NBFS over Http </li></ul></ul></ul><ul><ul><ul><li>Free Lite version available </li></ul></ul></ul><ul><ul><ul><li>http://www.wcfstorm.com/wcf/download-wcfstorm-lite.aspx </li></ul></ul></ul>
    15. 20. <ul><li>Pros </li></ul><ul><ul><li>Has support for ASMX, WCF and Java web services </li></ul></ul><ul><ul><li>Easy GUI </li></ul></ul><ul><ul><li>Inbuilt Soap generator </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Commercial tool </li></ul></ul><ul><ul><li>Trial edition does not provide automation of injection list. </li></ul></ul>
    16. 21. <ul><li>WSFUZZER is a tool developed by Andres Andrew. </li></ul><ul><li>Built in Python. </li></ul><ul><li>Needs Jdk 1.6 and Python 2.6 as a pre-requisite </li></ul><ul><li>Helps in automating payload injections against a WSDL url </li></ul><ul><li>Useful for automating for XSS, SQL injection, Insecure IDs and Malicious command injection. </li></ul>
    17. 22. <ul><li>Secure bindings support Message Security based </li></ul><ul><li>on WS-Security standards </li></ul><ul><ul><li>NetTCPBinding </li></ul></ul><ul><ul><ul><li>Binary XML Message Format </li></ul></ul></ul><ul><ul><li>wsHttpBinding </li></ul></ul><ul><ul><ul><li>SOAP/XML over HTTP/S </li></ul></ul></ul><ul><ul><li>many more… </li></ul></ul><ul><li>Multiple credentials options </li></ul><ul><ul><li>Windows, Certificate, Username, Anonymous, IssuedToken </li></ul></ul>
    18. 23. <ul><li>http://www.owasp.org/images/d/d0/Web_Services_Hacking_and_Hardening.pdf </li></ul>
    19. 24. <ul><li>Nabarun Sengupta </li></ul><ul><ul><li>Senior Test Engineer, </li></ul></ul><ul><ul><li>Mindtree Limited </li></ul></ul><ul><ul><li>Email Id: [email_address] </li></ul></ul><ul><li>Mobile: 9689881811 </li></ul>