Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Service Security


Published on

Web Service Security by Nabarun Sengupta @ null Pune Meet, March, 2011

Published in: Technology
  • Be the first to comment

Web Service Security

  1. 1. Source Boston 2010
  2. 2. <ul><li>Member of security community – Null </li></ul><ul><li>I am working at Mindtree Limited </li></ul><ul><li>Champion of Security Square </li></ul><ul><li>Like Hacking  </li></ul><ul><li>Executed 6 security projects </li></ul><ul><li>Tested web services for ASMX, Java web service and WCF. </li></ul><ul><li>Currently working on: </li></ul><ul><li>Web services Security Testing </li></ul>
  3. 3. <ul><li>Web Services Stack </li></ul><ul><li>WCF Story </li></ul><ul><li>WCF Overview </li></ul><ul><li>ASP.NET v/s WCF </li></ul><ul><li>What is New in WCF? </li></ul><ul><li>ABC of WCF endpoints </li></ul><ul><li>WCF Attack- Reconnaissance </li></ul><ul><li>Obtaining Meta Data from WCF service </li></ul><ul><li>Manual Testing Utilities </li></ul>
  4. 5. <ul><li>Born in 2006, initially code named as Indigo </li></ul>
  5. 6. <ul><li>Replacement for traditional ASP .NET web services </li></ul><ul><li>WCF is a framework that Microsoft is encouraging developers for any kind of network communication. </li></ul><ul><li>It was introduced in .NET 3.0 </li></ul><ul><li>Bunch of different protocols and message formatting options. </li></ul><ul><li>Accordance to SOA principles to support distributed computing </li></ul>
  6. 7. ASP .NET web service WCF web service Solely made for building Web service Provides tools for use in any circumstances for s/w entities to communicate Support sending message via HTTP Support formats like HTTP, TCP, named pipes, Microsoft Message Queuing More rich facilities for deploying and managing applications Configuration system Addition to Config system, Config editor, Activity tracing, trace viewer, message logging, a vast no. of performance counters, support for Windows Management Instrumentation
  7. 10. <ul><li>WCF has an extension of .svc in comparison to the historically .asmx extension </li></ul><ul><li>WCF Services are exposed through Endpoints </li></ul><ul><li>Before attacking WCF, some pre-requisites that should be known are the ABC’s of WCF Web services: </li></ul><ul><ul><li>Address </li></ul></ul><ul><ul><li>Binding </li></ul></ul><ul><ul><li>Contract </li></ul></ul>
  8. 11. <ul><li>Every WCF Service has a Unique Address </li></ul><ul><ul><li>Transport Protocol </li></ul></ul><ul><ul><li>Location </li></ul></ul><ul><ul><li>Often use .svc file extension when hosted in IIS </li></ul></ul><ul><li>[transport]://[machine or domain][:optional port]/[optional uri] </li></ul>
  9. 12. <ul><li>“ What protocol can I use to talk to this service?” </li></ul><ul><li>Binding specify how a service communicate </li></ul><ul><ul><li>Transport Protocol </li></ul></ul><ul><ul><li>Encoding (Message Format) </li></ul></ul><ul><li>Customized or several out of box bindings </li></ul>
  10. 13. <ul><li>“ What can I do with this service?” </li></ul><ul><li>WCF Contracts specify what is communicated outside the world </li></ul><ul><li>4 types of Contracts </li></ul><ul><ul><li>Service: Operations that client can perform </li></ul></ul><ul><ul><li>Data: Define the data types passed by the service </li></ul></ul><ul><ul><li>Fault: Error handling and propagation </li></ul></ul><ul><ul><li>Message: Allows direct interaction with messages. </li></ul></ul>
  11. 14. <ul><li>Traditional use of WSDL (can be easily exposed through ?wsdl or /wsdl ) </li></ul><ul><li>Preferred mechanism for Metadata exchange (MEX) </li></ul><ul><li>Bad news- Secure approach is implemented in new WCF technologies </li></ul><ul><li>Good News- Most of the applications are built in VSTS * </li></ul>
  12. 15. <ul><ul><li>Both WSDL and MEX are enabled by default when generating WCF configuration in Visual Studio </li></ul></ul>
  13. 17. <ul><li>Note: MetaData not always published over SSL </li></ul><ul><ul><li>Default Visual Studio Template includes </li></ul></ul><ul><ul><li>But Not </li></ul></ul>
  14. 19. <ul><li>Leveraging MetaData for Manual Testing. </li></ul><ul><ul><li>WcfTestClient </li></ul></ul><ul><ul><ul><li>Ships with Visual Studio 2008+ </li></ul></ul></ul><ul><ul><ul><li>Automatically Parses WSDL or MEX </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>WCF Storm </li></ul></ul><ul><ul><ul><li>Supports most WCF bindings, including MC-NBFS over Http </li></ul></ul></ul><ul><ul><ul><li>Free Lite version available </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
  15. 20. <ul><li>Pros </li></ul><ul><ul><li>Has support for ASMX, WCF and Java web services </li></ul></ul><ul><ul><li>Easy GUI </li></ul></ul><ul><ul><li>Inbuilt Soap generator </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Commercial tool </li></ul></ul><ul><ul><li>Trial edition does not provide automation of injection list. </li></ul></ul>
  16. 21. <ul><li>WSFUZZER is a tool developed by Andres Andrew. </li></ul><ul><li>Built in Python. </li></ul><ul><li>Needs Jdk 1.6 and Python 2.6 as a pre-requisite </li></ul><ul><li>Helps in automating payload injections against a WSDL url </li></ul><ul><li>Useful for automating for XSS, SQL injection, Insecure IDs and Malicious command injection. </li></ul>
  17. 22. <ul><li>Secure bindings support Message Security based </li></ul><ul><li>on WS-Security standards </li></ul><ul><ul><li>NetTCPBinding </li></ul></ul><ul><ul><ul><li>Binary XML Message Format </li></ul></ul></ul><ul><ul><li>wsHttpBinding </li></ul></ul><ul><ul><ul><li>SOAP/XML over HTTP/S </li></ul></ul></ul><ul><ul><li>many more… </li></ul></ul><ul><li>Multiple credentials options </li></ul><ul><ul><li>Windows, Certificate, Username, Anonymous, IssuedToken </li></ul></ul>
  18. 23. <ul><li> </li></ul>
  19. 24. <ul><li>Nabarun Sengupta </li></ul><ul><ul><li>Senior Test Engineer, </li></ul></ul><ul><ul><li>Mindtree Limited </li></ul></ul><ul><ul><li>Email Id: [email_address] </li></ul></ul><ul><li>Mobile: 9689881811 </li></ul>