SlideShare a Scribd company logo

Web Services Security

A
amiable_indian

The document discusses testing the security of web services. It covers topics like web service basics, why web services should be tested, old and new techniques for attacking web services like client testing, web method enumeration, XML port scanning, and the need for a structured security testing framework for web services.

Technology
1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06
About Us SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst [email_address] Colin Wong Found him outside [email_address]
Outline Web services basics The past, the present, the future Client testing Web method enumeration XML port scanning Structured testing framework
Web Services Essentials XML-based remote procedure call Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) Multiple transport bindings HTTP, SMTP, FTP etc. Interoperable, heterogeneous, magical ! “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“
Why Test Web Services? High enterprise take-up in high value projects Authentication services Supply chain integration (B2B) Exposing legacy systems External APIs Transactions and critical business functions Web services will become increasingly widespread
New Dog, Old Tricks Web services share vulnerabilities with traditional distributed technologies Lots of the same attacks apply but with better structure (XML) Web services platforms make it “too easy” Code web services as a traditional object Platform automagically turns it into a service Minimal (if any) security
Client Testing Web services security testing tends to focus on the web service itself Clients are most often custom made These can also be vulnerable Clients are where the users are at Users are the weakest link Own the client and you can attack the users
Old Client Tricks Similar to JavaScript attacks in web apps Target the browser not the server Large client/server software houses have learnt to look at the client Internet Explorer Real Player Web services clients get overlooked
Client Attacks Evil twin DNS hacking ARP poisoning Hard to execute blind, possession of the client helps Testing Consume WSDL and become the web service Once client talks to cloned web service, fuzz outputs and analyse client app response Thorough logging must exist
Web Method Enumeration WSDL may not describe all allowed operations Can be manually modified Programmers love hidden backdoors We would like to be able to find the secrets Hidden administration interfaces or functions Test or debug functions Anything else we’re not supposed to get to
Web Method Search Perform a dictionary attack on web method names in a web service Typically in the form of <verb><noun> GetToken AuthenticateUser SetPassword CreateAccount Create or use ready-made verb and noun lists
Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/ webMethodName Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName > </soap:Body> </soap:Envelope>
Analyse Responses Test with each verb/noun combination Analyse response of the web service Can determine if the tested method exists Combination exists Successful call Missing or incorrect parameter errors Illegal argument or null reference errors Combination does not exist Operation not defined errors No such operation or method Bad SOAP action
Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Web Method Searching (For Bugs?) DirectoryException: cannot automatically create subdirectory http: at <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result> <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring SQL syntax errors
Web Method Search Tool Automated execution of dictionary attack with supplied wordlists Analysis of responses against configurable response elements Results may match multiple matters Supports multiple weightings
Web Method Search Tool Demonstration http://www.sift.com.au/73/0/tools.htm
Workarounds and Mitigating Strategies Security through obscurity does not work Do not keep web methods secret because they will not remain secret Input Validation
XML Port Scanning Everyone loves XML Has become the standard for information exchange Ubiquitous support by all vendors and platforms Firewalls block most traffic at the perimeter Except maybe 80 and 443 Can we get behind the firewall to scan? Maybe if we ask nicely
Traditional Port Scan
Document Type Definition Allows you to define the valid elements of an XML document Can dynamically build a DTD using references to external DTD definitions Can define external entities that can be used within the XML document
XML Parser Abuse Abuse the ability for XML parsers to dereference external sources Use DTD elements to get the parser to initiate connections on our behalf The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]> <scan>&test;</scan>
Analyse Responses We can infer the result of the attempted connection from the XML parser response Closed ports result in a connection refused error Open ports that respond to a HTTP request result in other errors or no error at all Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout Can only scan one port per XML document Cycle through all target ports and systems
Applicability This attack can be launched against XML endpoints Cannot be used directly against SOAP SOAP explicitly disallows DTD Potential targets AJAX APIs XML document inputs Encoded XML within SOAP parameters
Impacts Port scanning of systems in your DMZ Effectively transports the scanning to the parser You can see whatever the XML parser can see Firewalls won’t help you XML is valid traffic SSL protects attack traffic
XML Port Scan
XML Port Scanning Demonstration
Workarounds and Mitigating Strategies Disable external entity elements Or define allowed external elements Prohibit DTDs Exception handling that does not return error messages or details Still allows timeouts to be detected So some open ports can be detected Closed ports return quickly
Structured Testing Web services are popular So is testing their security However, no structured framework exists i.e. no OWASP (although some OWASP projects touch on web services) Security testing must be structured to be useful
Structured Testing Framework Threat Modelling Scoping Test Planning Test Execution Reporting
Testing Categories Information Gathering Fuzzing Injection Confidentiality & Integrity Logging Logic Flaws Authentication & Authorisation Availability
Questions? ?
Teaching a New Dog Old Tricks Web Services Colin Wong [colin.wong@sift.com.au] Daniel Grzelak [daniel.grzelak@sift.com.au] RUXCON ‘06

More Related Content

What's hot (17)

PPTX
Certificate pinning v certificate transparency
DianaKhersonskaia
 
DOC
Ramesh Selenium
Ramesh Khamari
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
PeopleSoft: HACK THE Planet^W university
Dmitry Iudin
 
PDF
Application Security Workshop
Priyanka Aash
 
PPTX
Zend server 6 compliance
Yonni Mendes
 
PDF
we45 - Web Application Security Testing Case Study
we45
 
PDF
O365con14 - information protection and control in office 365
NCCOMMS
 
PPT
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
PDF
Application DoS In Microservice Architectures
Scott Behrens
 
PDF
Workshop : Application Security
Priyanka Aash
 
PDF
Code securely
Maksym Hopei
 
PDF
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
 
PPT
Web 2.0 Hacking
blake101
 
PPT
20070605 Radware
INFOTIME
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PDF
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 
Certificate pinning v certificate transparency
DianaKhersonskaia
 
Ramesh Selenium
Ramesh Khamari
 
00. introduction to app sec v3
Eoin Keary
 
PeopleSoft: HACK THE Planet^W university
Dmitry Iudin
 
Application Security Workshop
Priyanka Aash
 
Zend server 6 compliance
Yonni Mendes
 
we45 - Web Application Security Testing Case Study
we45
 
O365con14 - information protection and control in office 365
NCCOMMS
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
Application DoS In Microservice Architectures
Scott Behrens
 
Workshop : Application Security
Priyanka Aash
 
Code securely
Maksym Hopei
 
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
 
Web 2.0 Hacking
blake101
 
20070605 Radware
INFOTIME
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 

Similar to Web Services Security (20)

PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
PPT
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
PPTX
Pentesting With Web Services in 2012
Ishan Girdhar
 
PPT
Web Services Hacking and Security
Blueinfy Solutions
 
PPT
Web Services - Lectures and architecture.ppt
memonmukhtiar
 
PPT
Web services | Websoles
CRM Manager | Developer @ Websoles Strategic Digital Solutions
 
PPT
Detailed information on webservice by websoles
NAVEEN KUMAR SHARMA
 
PPT
Web services Tutorial /Websoles Strategic Digital Solutions
Ratnesh Pandey
 
PPT
Best Web services tutorial | Websoles Strategic Digital Solutions
Shubham Kumar Singh
 
PDF
ENGS4851_Final_Certified_Report
Nagendra Posani
 
PDF
Protecting Web Services from DDOS Attack
Ponraj
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
PDF
Review paper on web service security
Editor Jacotech
 
PPT
web services
javeed_mhd
 
PDF
Best Practices in Web Service Design
Lorna Mitchell
 
PPTX
Web services
Akshay Ballarpure
 
PPT
SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector
n|u - The Open Security Community
 
PPT
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
PPT
Web services and SOA [Modified]
Subin Sugunan
 
PDF
Brian.suda.thesis
Aravindharamanan S
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Pentesting With Web Services in 2012
Ishan Girdhar
 
Web Services Hacking and Security
Blueinfy Solutions
 
Web Services - Lectures and architecture.ppt
memonmukhtiar
 
Web services | Websoles
CRM Manager | Developer @ Websoles Strategic Digital Solutions
 
Detailed information on webservice by websoles
NAVEEN KUMAR SHARMA
 
Web services Tutorial /Websoles Strategic Digital Solutions
Ratnesh Pandey
 
Best Web services tutorial | Websoles Strategic Digital Solutions
Shubham Kumar Singh
 
ENGS4851_Final_Certified_Report
Nagendra Posani
 
Protecting Web Services from DDOS Attack
Ponraj
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Review paper on web service security
Editor Jacotech
 
web services
javeed_mhd
 
Best Practices in Web Service Design
Lorna Mitchell
 
Web services
Akshay Ballarpure
 
SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector
n|u - The Open Security Community
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
Web services and SOA [Modified]
Subin Sugunan
 
Brian.suda.thesis
Aravindharamanan S
 
Ad

More from amiable_indian (20)

PDF
Phishing As Tragedy of the Commons
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PDF
Secrets of Top Pentesters
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
State of Cyber Law in India
amiable_indian
 
PPS
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
PPS
Reverse Engineering v/s Secure Coding
amiable_indian
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPS
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
PPS
Immune IT: Moving from Security to Immunity
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Exploit Finder Presentation
amiable_indian
 
PPT
Network Security Data Visualization
amiable_indian
 
PPT
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
PDF
Top Network Vulnerabilities Over Time
amiable_indian
 
PDF
What are the Business Security Metrics?
amiable_indian
 
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
amiable_indian
 
Network Security Data Visualization
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
amiable_indian
 
Ad

Recently uploaded (20)

PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PPTX
Digital Circuits, important subject in CS
contactparinay1
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PPTX
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Digital Circuits, important subject in CS
contactparinay1
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 

Web Services Security

  • 1. Teaching a New Dog Old Tricks Web Services Daniel Grzelak / Colin Wong RUXCON ‘06
  • 2. About Us SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst [email_address] Colin Wong Found him outside [email_address]
  • 3. Outline Web services basics The past, the present, the future Client testing Web method enumeration XML port scanning Structured testing framework
  • 4. Web Services Essentials XML-based remote procedure call Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) Multiple transport bindings HTTP, SMTP, FTP etc. Interoperable, heterogeneous, magical ! “ Oh yeah, aight. Aight, I put on my robe and wizard hat.“
  • 5. Why Test Web Services? High enterprise take-up in high value projects Authentication services Supply chain integration (B2B) Exposing legacy systems External APIs Transactions and critical business functions Web services will become increasingly widespread
  • 6. New Dog, Old Tricks Web services share vulnerabilities with traditional distributed technologies Lots of the same attacks apply but with better structure (XML) Web services platforms make it “too easy” Code web services as a traditional object Platform automagically turns it into a service Minimal (if any) security
  • 7. Client Testing Web services security testing tends to focus on the web service itself Clients are most often custom made These can also be vulnerable Clients are where the users are at Users are the weakest link Own the client and you can attack the users
  • 8. Old Client Tricks Similar to JavaScript attacks in web apps Target the browser not the server Large client/server software houses have learnt to look at the client Internet Explorer Real Player Web services clients get overlooked
  • 9. Client Attacks Evil twin DNS hacking ARP poisoning Hard to execute blind, possession of the client helps Testing Consume WSDL and become the web service Once client talks to cloned web service, fuzz outputs and analyse client app response Thorough logging must exist
  • 10. Web Method Enumeration WSDL may not describe all allowed operations Can be manually modified Programmers love hidden backdoors We would like to be able to find the secrets Hidden administration interfaces or functions Test or debug functions Anything else we’re not supposed to get to
  • 11. Web Method Search Perform a dictionary attack on web method names in a web service Typically in the form of <verb><noun> GetToken AuthenticateUser SetPassword CreateAccount Create or use ready-made verb and noun lists
  • 12. Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/ webMethodName Content-Type: text/xml <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> < webMethodName xmlns=&quot;tns&quot;>a</ webMethodName > </soap:Body> </soap:Envelope>
  • 13. Analyse Responses Test with each verb/noun combination Analyse response of the web service Can determine if the tested method exists Combination exists Successful call Missing or incorrect parameter errors Illegal argument or null reference errors Combination does not exist Operation not defined errors No such operation or method Bad SOAP action
  • 14. Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
  • 15. Web Method Searching (For Bugs?) DirectoryException: cannot automatically create subdirectory http: at <result xsi:type=&quot;xsd:string&quot;>null not in database (yet)</result> <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring SQL syntax errors
  • 16. Web Method Search Tool Automated execution of dictionary attack with supplied wordlists Analysis of responses against configurable response elements Results may match multiple matters Supports multiple weightings
  • 17. Web Method Search Tool Demonstration http://www.sift.com.au/73/0/tools.htm
  • 18. Workarounds and Mitigating Strategies Security through obscurity does not work Do not keep web methods secret because they will not remain secret Input Validation
  • 19. XML Port Scanning Everyone loves XML Has become the standard for information exchange Ubiquitous support by all vendors and platforms Firewalls block most traffic at the perimeter Except maybe 80 and 443 Can we get behind the firewall to scan? Maybe if we ask nicely
  • 21. Document Type Definition Allows you to define the valid elements of an XML document Can dynamically build a DTD using references to external DTD definitions Can define external entities that can be used within the XML document
  • 22. XML Parser Abuse Abuse the ability for XML parsers to dereference external sources Use DTD elements to get the parser to initiate connections on our behalf The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://192.168.1.1:22/&quot;>]> <scan>&test;</scan>
  • 23. Analyse Responses We can infer the result of the attempted connection from the XML parser response Closed ports result in a connection refused error Open ports that respond to a HTTP request result in other errors or no error at all Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout Can only scan one port per XML document Cycle through all target ports and systems
  • 24. Applicability This attack can be launched against XML endpoints Cannot be used directly against SOAP SOAP explicitly disallows DTD Potential targets AJAX APIs XML document inputs Encoded XML within SOAP parameters
  • 25. Impacts Port scanning of systems in your DMZ Effectively transports the scanning to the parser You can see whatever the XML parser can see Firewalls won’t help you XML is valid traffic SSL protects attack traffic
  • 27. XML Port Scanning Demonstration
  • 28. Workarounds and Mitigating Strategies Disable external entity elements Or define allowed external elements Prohibit DTDs Exception handling that does not return error messages or details Still allows timeouts to be detected So some open ports can be detected Closed ports return quickly
  • 29. Structured Testing Web services are popular So is testing their security However, no structured framework exists i.e. no OWASP (although some OWASP projects touch on web services) Security testing must be structured to be useful
  • 30. Structured Testing Framework Threat Modelling Scoping Test Planning Test Execution Reporting
  • 31. Testing Categories Information Gathering Fuzzing Injection Confidentiality & Integrity Logging Logic Flaws Authentication & Authorisation Availability
  • 33. Teaching a New Dog Old Tricks Web Services Colin Wong [[email protected]] Daniel Grzelak [[email protected]] RUXCON ‘06