The document discusses testing the security of web services. It covers topics like web service basics, why web services should be tested, old and new techniques for attacking web services like client testing, web method enumeration, XML port scanning, and the need for a structured security testing framework for web services.

1. Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06

2. About Us SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst [email_address] Colin Wong Found him outside [email_address]

3. Outline Web services basics The past, the present, the future Client testing Web method enumeration XML port scanning Structured testing framework

4. Web Services Essentials XML-based remote procedure call Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) Multiple transport bindings HTTP, SMTP, FTP etc. Interoperable, heterogeneous, magical ! “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“

5. Why Test Web Services? High enterprise take-up in high value projects Authentication services Supply chain integration (B2B) Exposing legacy systems External APIs Transactions and critical business functions Web services will become increasingly widespread

6. New Dog, Old Tricks Web services share vulnerabilities with traditional distributed technologies Lots of the same attacks apply but with better structure (XML) Web services platforms make it “too easy” Code web services as a traditional object Platform automagically turns it into a service Minimal (if any) security

7. Client Testing Web services security testing tends to focus on the web service itself Clients are most often custom made These can also be vulnerable Clients are where the users are at Users are the weakest link Own the client and you can attack the users

8. Old Client Tricks Similar to JavaScript attacks in web apps Target the browser not the server Large client/server software houses have learnt to look at the client Internet Explorer Real Player Web services clients get overlooked

9. Client Attacks Evil twin DNS hacking ARP poisoning Hard to execute blind, possession of the client helps Testing Consume WSDL and become the web service Once client talks to cloned web service, fuzz outputs and analyse client app response Thorough logging must exist

10. Web Method Enumeration WSDL may not describe all allowed operations Can be manually modified Programmers love hidden backdoors We would like to be able to find the secrets Hidden administration interfaces or functions Test or debug functions Anything else we’re not supposed to get to

11. Web Method Search Perform a dictionary attack on web method names in a web service Typically in the form of <verb><noun> GetToken AuthenticateUser SetPassword CreateAccount Create or use ready-made verb and noun lists

12. Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/ webMethodName Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName > </soap:Body> </soap:Envelope>

13. Analyse Responses Test with each verb/noun combination Analyse response of the web service Can determine if the tested method exists Combination exists Successful call Missing or incorrect parameter errors Illegal argument or null reference errors Combination does not exist Operation not defined errors No such operation or method Bad SOAP action

14. Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

15. Web Method Searching (For Bugs?) DirectoryException: cannot automatically create subdirectory http: at <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result> <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring SQL syntax errors

16. Web Method Search Tool Automated execution of dictionary attack with supplied wordlists Analysis of responses against configurable response elements Results may match multiple matters Supports multiple weightings

17. Web Method Search Tool Demonstration http://www.sift.com.au/73/0/tools.htm

18. Workarounds and Mitigating Strategies Security through obscurity does not work Do not keep web methods secret because they will not remain secret Input Validation

19. XML Port Scanning Everyone loves XML Has become the standard for information exchange Ubiquitous support by all vendors and platforms Firewalls block most traffic at the perimeter Except maybe 80 and 443 Can we get behind the firewall to scan? Maybe if we ask nicely

20. Traditional Port Scan

21. Document Type Definition Allows you to define the valid elements of an XML document Can dynamically build a DTD using references to external DTD definitions Can define external entities that can be used within the XML document

22. XML Parser Abuse Abuse the ability for XML parsers to dereference external sources Use DTD elements to get the parser to initiate connections on our behalf The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]> <scan>&test;</scan>

23. Analyse Responses We can infer the result of the attempted connection from the XML parser response Closed ports result in a connection refused error Open ports that respond to a HTTP request result in other errors or no error at all Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout Can only scan one port per XML document Cycle through all target ports and systems

24. Applicability This attack can be launched against XML endpoints Cannot be used directly against SOAP SOAP explicitly disallows DTD Potential targets AJAX APIs XML document inputs Encoded XML within SOAP parameters

25. Impacts Port scanning of systems in your DMZ Effectively transports the scanning to the parser You can see whatever the XML parser can see Firewalls won’t help you XML is valid traffic SSL protects attack traffic

26. XML Port Scan

27. XML Port Scanning Demonstration

28. Workarounds and Mitigating Strategies Disable external entity elements Or define allowed external elements Prohibit DTDs Exception handling that does not return error messages or details Still allows timeouts to be detected So some open ports can be detected Closed ports return quickly

29. Structured Testing Web services are popular So is testing their security However, no structured framework exists i.e. no OWASP (although some OWASP projects touch on web services) Security testing must be structured to be useful

30. Structured Testing Framework Threat Modelling Scoping Test Planning Test Execution Reporting

31. Testing Categories Information Gathering Fuzzing Injection Confidentiality & Integrity Logging Logic Flaws Authentication & Authorisation Availability

32. Questions? ?

33. Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06