Media:Attacking_Web_Services - owasp

clappingknaveΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 5 μήνες)

61 εμφανίσεις

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org


Attacking Web Services


Jason Alexander

Jason.alexander@owasp.org


17.03.2010

OWASP

2

What are Web Services?



No single definition



SOA, SOAP, REST, XML, WSDL, UDDI



A web service is a software component developed to
support interoperability over a network using an
interface described in WSDL. Other systems
communicate with the web service using SOAP
messages that are typically transported using the HTTP
protocol with XML messaging.”

OWASP

What are Web Services..cont



For our purposes, web services are
communication protocols that:



Use XML as the base meta language


Provide computer to computer communication


Use standard protocols, often in line with W3C,
OASIS and WS
-
I


Designed to be platform and transport independent

3

OWASP

What are Web Services..cont


Why are they popular?


-
Quote


“lets expose our mainframe API’s through SOAP
and use plentiful Java developers on Win/Lin
instead of rare CICS developers on expensive
mainframes to extend system functionality”



With an argument like that, what PHB could say
no?

4

OWASP

What are Web Services..cont


Usually deployed over port 80/443


Web Services


We poke holes in your firewall so you don’t have to


OR


FBP
-
Firewall bypass protocol

5

OWASP

Threats


All the “usual suspects”



Injection Attacks


Scripting Attacks


Broken Authentication


Security Mis
-
configuration



OWASP Top 10 any one? And more………

6

OWASP

Attacking Web Services


Follows basic concept of Web Application attacks



Discovery


Enumeration & information Gathering


Identifying Attack Vectors


Exploitation



Whitebox assessment


code analysis

7

OWASP

Discovery


Find Web Services entry points


This is in the WSDL



How to find the WSDL?


UDDI

Universal Description Discovery and
Integration


UBR


Universal Business Registry



Google is your friend !


inurl:wsdl site:example.com

8

OWASP

Discovery..cont

9

OWASP

Discovery..cont

10

OWASP

Discovery..cont


Google Sample inurl:wsdl site:nhs.uk



www.show.scot.nhs.uk/FindNearest/findnearest.asmx
?
WSDL



www.nhshighland.scot.nhs.uk/Search/_vti.../search.a
smx?
WSDL



www.uhsm.nhs.uk/_vti_bin/sites.asmx?wsdl



Crawling technique


wget

l 50

r
http://192.168.1.10


Find .

name *wsdl*

11

OWASP

Enumeration & information Gathering


Standard Web application enumeration



telnet 192.168.1.10 80


HEAD / HTTP/1.0


HTTP/1.1 200 OK


Server Microsoft
-
IIS/5.0


X
-
Powered
-
By:ASP.net

12

OWASP

Enumeration & information Gathering..cont



WSDL


All an attacker needs to know to
interface with the service


Auto
-
Generated by WS framework


Generally not created or consumed by humans


No access controls generally enforced on
WSDL’s


Do you really need to provide a WSDL ?????

13

OWASP

Enumeration & information Gathering..cont


WSDL Example: Ebay Price Watching


14

<?xml version="1.0"?>

<definitions name="
eBayWatcherService
"

targetNamespace
=

"http://www.xmethods.net/sd/eBayWatcherService.wsdl"

xmlns:tns
="http://www.xmethods.net/sd/eBayWatcherServic
e.wsdl"

xmlns:xsd
="http://www.w3.org/2001/XMLSchema"

xmlns:soap
="http://schemas.xmlsoap.org/wsdl/soap/"

xmlns
="http://schemas.xmlsoap.org/wsdl/">

<
messagename

="
getCurrentPriceRequest
">

<part name="
auction_id
" type = "
xsd:string
"/>

</message>

<message name="
getCurrentPriceResponse
">

<part name="return" type = "
xsd:float
"/>

</message>

<
portTypename
="
eBayWatcherPortType
">

<operation name="
getCurrentPrice
">

<input

message="
tns:getCurrentPriceRequest
"

name="
getCurrentPrice
"/>

<output

message="
tns:getCurrentPriceResponse
"

name="
getCurrentPriceResponse
"/>

</operation>

</
portType
>

<
binding

name="
eBayWatcherBinding
"
type="
tns:eBayWatcherPortType
">

<
soap:binding

style="
rpc
"

transport="http://schemas.xmlsoap.org/soap/http"/>

<operation name="
getCurrentPrice
">

<
soap:operationsoapAction
=""/>

<input name="
getCurrentPrice
">

<
soap:body

use="encoded"

namespace="
urn:xmethods
-
EbayWatcher
"

encodingStyle
="http://schemas.xmlsoap.org/soap/encoding/"
/>

</input>

<output name="
getCurrentPriceResponse
">

<
soap:body

use="encoded"

namespace="
urn:xmethods
-
EbayWatcher
"

encodingStyle
="http://schemas.xmlsoap.org/soap/encoding/"
/>

</output>

</operation>

</binding>

OWASP

Enumeration & information Gathering..cont


Using Tools to profile web services


wsKnight


Wsdigger


SoapUI etc


DEMO


15

OWASP

Attack Vectors


Most of the web application attack vectors can
be applied to web services


Injection & Scripting attacks apply


Specific SOAP orientated attacks


XML Poisoning


SOAP message brute forcing


SOAP parameter manipulation


XML parser attacks


Could take a whole lot of time to discuss all
attacks!


16

OWASP

Attack Vectors..cont


Spot the attack!


<?xml version="1.0" encoding="UTF
-
8"?>

<SOAP
-
ENV:Envelope


SOAP
-
ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"


xmlns:SOAP
-
ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/1999/XMLSchema
-
instance"


xmlns:SOAP
-
ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/1999/XMLSchema">


<SOAP
-
ENV:Body>


<ns1:LogOnUser xmlns:ns1="http://www.isecpartners.com/WebServices/TestService/" SOAP
-
ENC:root="1">


<userNamexsi:type="xsd:string">'</userName>


<password xsi:type="xsd:string">default</password>


</ns1:LogOnUser>


</SOAP
-
ENV:Body>

</SOAP
-
ENV:Envelope>

17

OWASP

Attack Vectors..cont



DEMO

18

OWASP

Counter Measures


Do you need a WSDL?


Has it been sanitised?


Secure coding. Utilise OWASP resources


OWASP Coding guide


Input validation


OWASP TOP 10


OWASP Testing Guide


OWASP WS project


needs volunteers


http://www.owasp.org/index.php/Category:OWASP_Web_Servic
es_Security_Project


19

OWASP

Counter Measures..cont


Protect messages in transit


TLS is the BEST option and fits most models


XML signing and encryption have their uses but are
difficult to implement


WS
-
Security


Web Application Firewalls (WAF)


Do they work in a SOAP/XML environment?


New breed of technology


XML gateways!


Regular firewalls do not work!


20

OWASP

Resources


DISCO:
http://msdn.microsoft.com/en
-
us/magazine/cc302073.aspx



UDDI OASIS Standard:
http://www.oasis
-
open.org/specs/index.php#uddiv3.0.2



Understanding UDDI:
http://www
-
128.ibm.com/developerworks/webservices/library/ws
-
featuddi/index.html



WebServices Testing:
http://www.aboutsecurity.net



Tools



Net Square wsPawn


OWASP WebScarab
: Web Services plugin


Mac OSX Soap Client:
http://www.ditchnet.org/soapclient



Foundstone WsDigger:
http://www.foundstone.com/us/resources/proddesc/wsdigger.htm



SoapBox
http://www.vordel.com/products/soapbox
/


SoapUI:
http://www.soapui.org
/


SOAPClient4XG:
http://www
-
128.ibm.com/developerworks/xml/library/x
-
soapcl/



CURL:
http://curl.haxx.se



On
-
line tools



Web Services Directory:
http://www.wsindex.org



Seekda:
http://seekda.com/



UDDI Browser:
http://www.soapclient.com/



Xmethods:
http://www.xmethods.net



WSIndex:
http://www.wsindex.org



21

OWASP

References



www.owasp.org


Hacking web services by Sheeraj Shah


How to Break Web Software by Mike Andrews
and James Whittaker


Attacking Web Services by Alex Stamos

22