Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Download as PPT, PDF•5 likes•4,602 views
The document provides a comprehensive overview of web services security, detailing various vulnerabilities such as spoofing, SQL injection, and denial of service, along with countermeasures to mitigate these risks. It emphasizes the importance of secure configurations, data validation, and proper session management as essential defense strategies. Additionally, it discusses the roles of SSL and WS-Security in protecting web services, and dispels common misconceptions about their security capabilities.
![XPATH Injection
Similar to SQL injection attack
Information stored and retrieved from XML document instead
of relational database
//users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1]
14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured](https://image.slidesharecdn.com/praetorianwebservicespresentation-110117095336-phpapp01/85/Web-Services-Presentation-Introduction-Vulnerabilities-Countermeasures-14-320.jpg)
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
- 1. Web Services Security Nathan Sportsman Founder and Chief Executive Officer 1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 2. Agenda Web Service Introduction Web Service Vulnerabilities Web Service Countermeasures 2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 3. Introduction 3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 4. How Did We Get Here? SOAP / XML HTML HTML SOAP / XML 1st Generation 2nd Generation 3rd Generation Static HTML Web Applications Web Services 4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 5. Web Services Are “…a software system designed to support interoperable machine-to-machine interaction over a network.”, W3C Capable of connecting to external computing resources – Supply chain infrastructure – Outsourced computing infrastructure 5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 6. Web Services Primer Service Broker Built on existing and emerging standards – HTTP, XML, SOAP, UDDI, WSDL, WS-*… UDDI Capabilities – Loosely coupled – Language neutral WSDL WSDL – Platform and transport independent – Interoperability SOAP Client Service Provider 6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 7. Web Service Interoperability Example Embedded device Financial Transaction Gateway Billing Services C++ on Linux/ARM C on AIX/PowerPC Java on NT/X86 Web Service Web Service Web Service 7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 8. Web Service Vulnerabilities 8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 9. Attack Taxonomies Spoofing Tampering Repudiation Information Disclosure Denial of Service Escalation of Privileges 9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 10. Web Services Vulnerabilities Existing and emerging vulnerabilities apply – Brute Force – Information Disclosure – SQL Injection – LDAP Injection – Session Hijacking – Denial of Service (DoS) – Buffer Overflows – Cross Site Scripting – XML Injection – XPATH Injection – WSDL Manipulation – DOS (Intensive XML load) – … 10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 11. SQL Injection Possible when user input provided through web service used in queries to backend database <?xml version=“1.0” encoding=“utf-8” standalone=“no” ?> <SOAP-ENV:Envelope xmlns:SOAPSDK1=“http://www.w3.org/2001/XMLSchema”xmlns:SOAP SDK2=“http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAPSDK3=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/> <SOAP-ENV:Body> <SOAPSDK4:MethodName xmlns:SOAPSDK4=“http://urltoapp/…”> <SOAPSDK4:username>administrator</SOAPSDK4:username> <SOAPSDK4:password>’ OR ‘1’=‘1</SOAPSDK4:password> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 12. Buffer Overflow Buffer Overflows – Not as prevalent except on older legacy systems and embedded devices written in unmanaged code – Large string parameters extending beyond allocated memory – No bounds checking <SOAP-ENV:Envelope> <SOAP-ENV:Body> <parameter1> lkasdllkdlfa;jkia;refjeoinveroinanlekrngaerinrlgerinreglnag linealinrglanirnaocnilrncoraeincelrgfnerginegnoeingerongoer ingeg… </SOAP-ENV:Body> </SOAP-ENV:Envelope> 12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 13. XML Injection External input is not validated and passed in XML stream parsed by second-tier software Alters XML structure by injecting malicious data John Smith escalates privileges by changing his User ID from 100 to 0 <MyRec> <UserId>100</UserId> <Username>jsmith</Username><Uid>0</Uid><Username>jsmith</Username> </MyRec> 13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 14. XPATH Injection Similar to SQL injection attack Information stored and retrieved from XML document instead of relational database //users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1] 14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 15. Denial of Service XML parsing can be expensive • Extremely large / complex XML documents • Deeply nested tags • These can create extremely large memory footprints or utilize many CPU cycles … <SOAP-ENV:Body> <BuildNestedXMLResponse xmlns=http://someap”> <BuildNestedXMLResult> <XML 1> <XML 2> <XML 3> <XML 4/> </XML 3> </XML 2> </XML 1> </BuildNestedXMLResult> </BuildNestedXMLResponse> … 15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 16. Web Services Countermeasures 16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 17. Defense Taxonomies Configuration Management Authentication Authorization User & Session Management Data Validation Error & Exception Handling Logging & Auditing Data Protection (Storage & Transit) 17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 18. Configuration Management Internet facing WSDLs can be found with Google hacking (filetype:wsdl inurl:wsdl) Review WSDLs for dangerous or antiquated functions Ensure hidden, debugging, or any non-production functions are removed before deployment Make sure they are not recreated automatically 18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 19. Authentication & Authorization Can be accomplished in various ways with various protocols Username/password, Certificates, etc Educate yourself on the characteristics of protocols available before deciding 19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 20. Session Management Use proven methods to generate session IDs Do not reinvent the wheel and attempt to create your own Utilize transport encryption to prevent eavesdropping / modification of session data Use transport and element encryption to prevent replay / injection attacks 20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 21. Data Validation Validate and sanitize all input from external sources Sanitize all output of potentially malicious characters in respect to the next tier (i.e. Database, XML stream, LDAP directory, etc.) If possible, consider a default deny policy with a white list of allowed input 21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 22. Logging & Auditing Consider using an existing logging framework Centralize location of log files Ensure logs provide enough information for non-repudiation of action Do not log password, credit cards or other sensitive information 22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 23. Error & Exception Handling Test for DoS conditions in QA/QC procedures Define and enforce data file types and sizes Check document complexity before handing to parser – XML “Firewall”, etc. Use strict XML schema verification Create custom error messages with minimal information to be returned by web services 23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 24. Data Protection (In Storage & Transit) Two mechanisms for encryption, SSL and WS-Security Disadvantages of WS-Security – Harder, more complex to implement (Easier to do wrong) – Larger attack surface (Attacker has a lot more to play with) vs. SSL with client certificates – Only explicitly encrypted / signed data are protected Advantages of WS-Security – WS-Security offers end-to-end Security (Instead of point-to-point) – Transport agnostic – No longer an all or nothing approach – Less over head, especially in stateless web services (debatable) 24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 25. SSL Well understood and vetted technology Provides the functionality needed for most web service deployments Who is implementing SSL? – ISVs adding web service interface to their product (SSL) – Internet Companies exposing part of their service through web interface for consumption (SSL) – Internally distributed application previously using older technologies for inter-application communication (SSL) * By far majority of engagements, products, and web services we’ve seen implement SSL solution 25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 26. WS-Security Enhances SOAP – Provides a framework for message integrity and confidentiality – Token type-, Encryption scheme-, and Signature scheme-agnostic Associates security tokens with messages Message integrity provided by XML Digital Signatures in conjunction with security tokens Message confidentiality provided by XML Encryption in conjunction with security tokens Describes mechanism to encode binary security tokens – X.509 certificates, Kerberos, opaque encrypted keys Who is implementing? – B2B application for company to company exchange 26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 27. How WS-Security fits in the Web Service Stack Management Portals Extended Composition/Orchestration Capabilities Secure Reliable Reliable WS-Security Transactions Messaging Transaction Endpoint identification, Publish/Subscribe XML Schema, WSDL, UDDI, Attachments Foundation Transport XML, SOAP Invocation Description HTTP, HTTPS 27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 28. Misconceptions Web services do not share some of the same vulnerabilities of web applications WS-Security is all you need to solve security concerns within web services XML firewalls and other technologies will protect against all WS attacks 28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 29. Integrate Secure Development Lifecycle Security Requirements – Set requirements to meet security objectives Threat Modeling – Identify issues at the time of design – Assist in other phases of the development life cycle Code Review – Identify issues at the time of implementation – Static vs Dynamic Analysis – Manual and Automated Tools Penetration Testing – Blackbox vs White vs Grey Box Testing – Manual and Automated Tools 29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
- 30. Web Services Security Nathan Sportsman Founder and Chief Executive Officer 30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Editor's Notes
- #3: Threat Modeling © 2009 Praetorian. All rights reserved. According to BSIMM all 9 organizations surveyed include security activities in the design phase; however, these are companies such as Microsoft, Google, Adobe, etc where a real and concerted efforts is being made in the way of software security. Most of the focus by organizations, vendors, and service providers is on backend security controls in the development and testing phases such as code reviews (static analysis) or application penetration tests (dynamic analysis). Odd considering the cost benefit analysis graph presented earlier
- #5: Web Service Security © 2009 Praetorian. All rights reserved. The first generation of Web applications was largely about delivering non-interactive content, i.e. publishing non-interactive HTML pages. For example, many applications simply operated in client/server mode and rendered HTML pages to send across the internet to browsers. The second generation of Web applications was about creating applications usable over the Web. E-commerce is an example; you can go to http://www.barnesandnoble.com/ select books, order them and pay for them. This second generation also includes a more scalable back-end (e.g. WinDNA architecture) and a richer UI (e.g. DHTML and ActiveX). However, useful though they may be, the second generation largely resulted in application islands on the Web. Yes, there are hyperlinks between sites, but for the most part, the actual applications at different sites do not interact. The third generation of Web application is using Web protocols and XML throughout to allow better integration between services on the Web. Protocols such as XML and SOAP allow you to create Web Services, enabling people and companies to easily create integrated appliabout cations.
- #6: Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
- #7: Web Service Security © 2009 Praetorian. All rights reserved. SOAP = simple object access protocol UDDI = Universal Description, Discovery and Integration -- a directory of webservices WSDL – web services description language – how to use the web service when communicating via SOAP
- #8: Web Service Security © 2009 Praetorian. All rights reserved. The idea here is that the server on the bottom is using web services to communicate with disparate systems using a common language
- #12: Here the parameters in the SOAP envelope have been injected with SQL to bypass authentication by always returning true (I.e SELECT * from UserTable where username= ‘administrator’ and password=‘’ OR ‘1’=‘1’;
- #18: Error & Exception Handling Logging & Auditing
- #26: Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
- #27: Web Service Security © 2009 Praetorian. All rights reserved. WS Security enhances SOAP by providing these mechanisms and more, we ’ll look at each mechanism in the following slides
- #28: Web Service Security © 2009 Praetorian. All rights reserved. A high level overview of WS-Security. The important point here is that it sits on top of the standard web services architecture to provide security, reliability and transactions