This document summarizes a presentation on hacking Web 2.0 technologies and web services. The presentation discusses security concerns with Ajax, including attacks like cross-site scripting and request forgery. It also covers fingerprinting Ajax frameworks, vulnerabilities in Ajax data structures and serialization, and defenses like validating data and avoiding client-side logic. Regarding web services, the document outlines methods for discovery, profiling, and attacks like injection flaws and insecure direct object references. It emphasizes the need for code analysis and filtering input through an IHTTPModule firewall module.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Modern Architectures with Spring and JavaScriptmartinlippert
JavaScript becomes more and more important for implementing full-featured rich client applications in the browser. Therefore our classical ideas and blueprints for Spring-based architectures have to change. This talks provides a high-level overview of these changes and talks about how to combine Spring on the server side to implement RESTful and HATEOAS APIs and JavaScript in the client side to realize full client side apps in your browser. The talk discusses the basic ideas and motivations behind this shift in architectures without going too deep into all the technical details.
Building Cross Platform Mobile Web AppsJames Pearce
Frameworks like Sencha Touch are heralding a new way of building mobile services using Javascript, HTML5 and CSS3. If you want to discover how to use standard web technologies to reach your mobile users in beautiful app-like ways, this session is for you.
We explore the possibilities that each of these rich, standards-based libraries can bring, we show how the mobile device is fast becoming a first-class Javascript run-time environment, and we discuss how we might be on the dawn of a new web age, where mobile and client-side applications can immerse billions of users with exciting, contextually-aware experiences.
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
As presented at http://www.meetup.com/MobileCloud/events/17159747/
The web is always evolving, but we're witnessing a significant architectural shift as services migrate to the cloud, business logic moves to ever-thicker clients, and the web escapes the desktop to become a beautifully mobile medium.
In this environment, web application frameworks like Sencha Touch offer a new way of building mobile services using HTML5, CSS3, and JavaScript. We'll explore the possibilities that this rich, standards-based approach can bring, how to develop mobile web apps that look and feel native on iPhone, Android, and BlackBerry touch devices, and how to leverage the power of cloud-based services to provide scalable and compelling applications in this new world.
Working with Data and Web Services in Microsoft Silverlight 2goodfriday
Learn how easy it is to utilize POX, REST, RSS, ATOM, JSON, and SOAP in your Microsoft Silverlight mashup applications. Also learn how to easily access and display data with Silverlight using LINQ and databinding.
HTML5 and the dawn of rich mobile web applicationsJames Pearce
HTML5 and its related technologies are enabling new ways to build beautiful sites and applications for contemporary mobile devices. Native mobile developers can now use web technologies to surmount cross-platform headaches, and desktop web developers can reach mobile users in familiar, app-like ways. This session explores the state of the art in HTML5-based mobile web frameworks, and demonstrates the practical possibilities that this powerful and standards-based approach can bring.
Тестирование производительности Ajax приложений с помощью JMeter, Владимир Примаков
В этом докладе будет раскрыт вопрос автоматизации тестирования производительности Ajax приложений с помощью бесплатного инструмента jmeter. Я расскажу об основных особенностях и трудностях автоматизации производительности Ajax приложений, о том, с какими конкретно проблемами я сталкивался и как они решались. Также я приведу ряд полезных советов, которые, возможно, облегчат вашу жизнь, если Вы вдруг решитесь провести тестирование производительности ajax приложений.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Shreeraj-Hacking_Web_2
1. Hacking Web 2.0
Art and Science of Vulnerability Detection
Shreeraj Shah
Pune,India
2. Who am I?
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
• Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
• Past experience
– Net Square, Chase, IBM & Foundstone
• Interest
– Web security research
• Published research
– Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan,
wsChess etc.
– Advisories - .Net, Java servers etc.
• Books (Author)
– Hacking Web Services (Thomson 2006)
– Web Hacking (AWL 2003)
– Web 2.0 Security (Work in progress)
3. Agenda
• Web 2.0 overview and security concerns
• Ajax Security – Attacks and Defense
– Methods
– Vectors
– Defense
• Web Services – Attacks and Defense
– Methodology
– Assessment and Tools
– Defense
4. Web 2.0 Trends
• 80% of companies are investing in Web
Services as part of their Web 2.0 initiative
(McKinsey2007 Global Survey)
• By the end of 2007, 30 percent of large
companies will have some kind of Web 2.0-
based business initiative up and running.
(Gartner)
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
(Gartner)
5. Web 2.0 – Ajax & Web Services
Documents
News Emails
Browser
Weather Bank/Trade
Ajax
Internet
Internet
RIA (Flash) RSS feeds
HTML / JS / DOM
Blog
Web Services
Local Application
Database Authentication
6. Web 2.0 Layers
Browser Structures Server-Side
Protocols
JSON-RPC
Ajax Flash / RIA Services
XML REST
HTML/CSS JavaScript SaaS
JSON XML-RPC
Widget DOM Open APIs
SOAP
HTTP(S)
7. Technologies
Internet DMZ Trusted
SOAP, REST, XML-RPC, JSON etc.
Ajax
RIA W
Client E
Application
Scripted B
Web Servers
Web
S
Server And
Engine E
Static pages Dynamic pages
Web Integrated R
HTML,HTM etc.. ASP DHTML,
V
Client Framework
PHP,CGI Etc..
I
X
ASP.NET with C
.Net E
J2EE App
S
Server
Web Services
Etc..
DB
Internal/Corporate
8. Web 2.0 Security
• Complex architecture and confusion with
technologies
• Web 2.0 worms and viruses – Sammy,
Yammaner & Spaceflash
• Ajax and JavaScripts – Client side attacks
are on the rise
• Web Services attacks and exploitation
• Flash clients are running with risks
9. Ajax Security – Attacks & Defense
• Basics
• Structures and streams
• Fingerprinting
• Scanning and Enumeration
• XSS and CSRF issues
• Securing code base
10. Ajax basics
• Asynchronous JavaScript and XML
HTML / CSS Database / Resource
JS / DOM XML / Middleware / Text
XMLHttpRequest (XHR) Web Server
Asynchronous
over HTTP(S)
11. Ajax - Sample
function loadhtml()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveXObject){
http=new ActiveXObject(quot;Msxml2.XMLHTTPquot;);
if (! http){
http=new ActiveXObject(quot;Microsoft.XMLHTTPquot;);
}
}
http.open(quot;GETquot;, quot;main.htmlquot;, true);
http.onreadystatechange = function()
{
if (http.readyState == 4) {
var response = http.responseText;
document.getElementById('main').innerHTML = response;
}
}
http.send(null);
}
12. Ajax & Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with back end sources
• Mashups application can be leveraged
• It is important to understand these streams
• It has significant security impact
• JSON, Array, JS-Object etc.
13. Cross-domain calls
• Browser security doesn’t support cross
domain calls
• But cross domain callback with JavaScript
is possible
• This can be lethal attack since cross
domain information get executed on the
current DOM context.
• Developers put proxy to bypass the SOP.
14. Ajax fingerprinting
• Determining Ajax calls
• Framework fingerprinting
• Running with what?
– Atlas
– GWT
– Etc.
• Ajaxfinger a tool to achieve this
• Can help in assessment process
• RIA finger printing is possible
15. Ajax attack points
• Ajax components & Widgets
• Cross domain vulnerable browsers and
callback implementations
• DOM manipulation calls and points
• Insecure eval()
• HTML tags
• Intranet nodes and internal resources
16. Ajax attack vectors
• Entry point scanning and enumeration
• Cross site scripting (XSS) attacks
• Cross site Request Forgery (CSRF) issues
• Client side code reverse engineering
• Security control and validation bypassing
• Local privacy information enumeration
• Ajax framework exploitation – known bugs
17. Ajax Scanning
• Scanning Ajax components
• Retrieving all JS include files
– Part of <SCRIPT SRC=….>
• Identifying XHR calls
• Grabbing function
• Mapping function to DOM event
• Scanning code for XSS – look for eval()
and document.write()
18. Ajax serialization issues
• Ajax processing various information
coming from server and third party
sources. – XSS opportunities
message = {
from : quot;john@example.comquot;,
to : quot;jerry@victim.comquot;,
subject : quot;I am finequot;,
body : quot;Long message herequot;,
showsubject :
function(){document.write(this.subject)}
};
XSS
19. Ajax serialization issues
• JSON issues
{quot;bookmarksquot;:[{quot;Linkquot;:quot;www.example.comquot;,quot;D
escquot;:quot;Interesting linkquot;}]}
• JS – Array manipulation
new Array(“Laptop”, “Thinkpad”, “T60”,
“Used”, “900$”, “It is great and I have
used it for 2 years”)
20. Ajax and JS manipulation
• JavaScript exploitation – XSS
• Identifying DOM points like
document.write()
• Eval() – another interesting point
• Attack APIs and tools for exploitation
• Lot can be done by an attacker from
session hijacking to key loggers
21. Ajax and RSS injection
• RSS feeds are another entry point to the
browser
• Injecting script to the RSS feeds and Ajax
call may execute it.
• One click – Malformed linked injected into
it and can lead to exploit “javascript:”
• Leveraging events – onClick, onMouse
etc.
22. Ajax Crawling
• Crawling Ajax driven app – a challenge
• Resources are hidden in JavaScript
• Simple scanner will fail
• Crawling with actual DOM context
• Automated crawling with browser is
required
• How?
23. Defending Ajax
• No business logic information on client
side.
• Do not trust third party source – filter it out
• No direct cross domain call back
• Filtering at browser level before
processing information
• Avoiding client side validation
24. Defending Ajax
• No secret in Ajax calls
• Proper data structure selection and
frameworks
• Avoid client side validation
• Securing client side calls like eval() and
document.write()
• HTML tags filtering before serving to end
client
25. Web Services – Attacks & Defense
• Methodology
• Footprinting & Discovery
• Profiling and Enumeration
• Scanning and Fuzzing
• Attack vectors
• Scanning code for vulnerabilities
• Defense by filtering
26. Methodology
Insecure Web Services
Blackbox Whitebox
Footprinting & Discovery
Enumeration & Profiling Code / Config Scanning
Vulnerability Detection
Defense Secure Coding
&
Countermeasure Web Services Firewall
Secure Web Services
27. Footprinting and Discovery
• Objective: Discovering Web Services
running on application domain.
• Methods
– Primary discovery
• Crawling and spidering
• Script analysis and page scrubbing
• Traffic analysis
– Secondary discovery
• Search engine queries
• UDDI scanning
28. Primary Discovery
• Crawling the application and mapping file
extensions and directory structures, like
“.asmx”
• Page scrubbing – scanning for paths and
resources in the pages, like atlas back end
call to Web Services.
• Recording traffic while browsing and
spidering, look for XML based traffic –
leads to XML-RPC, REST, SOAP, JSON
calls.
29. Primary Discovery - Demos
• Page scanning with grep – Look in
JavaScripts for URLs, Paths etc.
• Crawling – Simple!
• Scanning for Atlas references –
Framework creates stubs and proxy. –
scanweb2.0/scanatlas
• Urlgrep can be used as well.
30. Secondary Discovery
• Searching UDDI server for Web Services
running on particular domain.
– Three tactics for it – business, services or
tModel.
• Running queries against search engines
like Google or MSN with extra directives
like “inurl” or “filetype”
– Look for “asmx”
• wsScanner – Discovery!
32. Scanning strategies
• Manual invocation and response analysis.
• Dynamic proxy creation and scanning.
• Auto auditing for various vectors.
• Fuzzing Web Services streams – XML or
JSON
• Response analysis is the key
– Look for fault code nodes
– Enumerating fault strings
– Dissecting XML message and finding bits
– Hidden error messages in JSON
33. Cross Site Scripting (XSS)
• XSS is possible through Web Services.
• It would be DOM based XSS via eval().
• JSON-RPC based stream coming in the
browser and get injected into DOM.
• Source of stream can be of third party and
Un-trusted.
• XML streams coming in the browser and
can cause XSS via document.write call.
34. Injection Flaws
• Web Services methods are consuming
parameters coming from end users.
• It is possible to inject malicious characters
into the stream.
• It can break Web Services code and send
faultsting back to an attacker
• Various injections possible – SQL and
XPATH
35. Malicious File Execution
• Malicious command can be injected
through the parameter.
• WS supports attachments as well and that
can lead to uploading a file.
• This can give remote command execution
capability to the attacker.
36. Insecure Direct Object Reference
• Injecting characters to break file system
sequences.
• Faultcode spits out internal information if
not protected.
• Customized error shows the file refernces.
• Access to internal file and full traversal to
directories
• Inspecting methods and parameters in the
profile stage can help.
37. Cross Site Request Forgery
• CSRF with XML streams
• XML-RPC or SOAP based request can be
generated from browsers.
• Splitting form and XML injection is
possible – interesting trick.
• If Content-Type is not validated on the
server then it can cause a potential CSRF.
• XForms usage in browser can produce
XML requests to attack CSRF.
38. Code Analysis for Web Services
• Scanning the code base.
• Identifying linkages.
• Method signatures and inputs.
• Looking for various patterns for SQL,
LDAP, XPATH, File access etc.
• Checking validation on them.
• Code walking and tracing the base - Key
39. Code filtering with IHTTPModule
• Regular firewall will not work
• Content filtering on HTTP will not work
either since it is SOAP over HTTP/HTTPS
• SOAP level filtering and monitoring would
require
• ISAPI level filtering is essential
• SOAP content filtering through
IHTTPModule
40. HTTP Stack for .Net
HttpRuntime
HttpApplicationFactory
Web Application
Firewall
& IDS
HttpApplication
IHttpModule
HttpHandlerFactory
Handler
148
41. IHTTPModule for Web Services Firewall
• Code walkthrough – Events and Hooks
• Loading the DLL
• Setting up the rules
• Up and running!
• Demo.