SOAP & Session Management - Quantum

hungryhorsecabinΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

71 εμφανίσεις

1
SOAP & Session
Management
CPSC 328
Spring 2009
Broken

Authentication &
Session Management

Recap

of previously studied vulnerabilities/issues

Session Hijacking

Insecure Communication/Storage

Cookie Poisoning

Injection (XSS, SQL, Command)

Parameter Tampering

Site Traversal/URL Jumping

Hidden Fields

Fake Crypto/Forcing Weak Crypto

Question:

What do we need (minimum) for proper authentication?

Answer:

Secure communication

Secure

credential storage
2
Broken

Authentication &
Session Management

So, what can we do about it/them?

Use only well-vetted session management software
(don

t roll your own)

Don

t accept Session IDs - give them out

Reduce or eliminate use of custom cookies for
authentication/session management

Use a single

(well-vetted) authentication mechanism
(don

t roll your own)

Force SSL (don

t allow login to start from http, only https!)

Issue new session token here!

Issue new token with privilege escalation, or authentication change
Broken

Authentication &
Session Management

Continued


Every page has a logout button

Timeouts for auto-logout!

Password reset/recovery - use only strong authentication - secret
answers, etc.

Don

t store session IDs in URLs or logs

Check old password before setting a new one

Don

t rely on spoof-able credentials (IP, DNS, referrer, etc.)

Don

t send secrets to (registered) email accounts (password resets)
3
SOAP

Simple Object Access Protocol

Now, just SOAP

Acronym dropped as of v1.2
2003 - W3C recommendation
2007 - Second Edition

Exchange structured information

Used heavily in Web Services

Uses XML to format content

Uses Application protocols for transport

HTTP

SMTP

In a nutshell, SOAP is a communications protocol
SOAP

Enables application-2-application
communication

Previously done via RPC/CORBA

Security issues
w/RPC

Better to use HTTP - web-centric

SOAP is machine/language
independent
4
SOAP Example
<
env
:Envelope
xmlns
:
env="http
://www.w3.org/2003/05/soap-envelope">
<
env
:Header>
<n:
alertcontrol xmlns
:
n="http
://example.
org/alertcontrol"
>
<n:priority>1<
/n
:priority>
<n:expires>2001-06-22T14:00:00-05:00<
/n
:expires>
<
/n
:
alertcontrol
>
<
/env
:Header>
<
en
v
:Body>
<m:alert
xmlns
:
m="http
://example.org/alert">
<m:
msg
>Pick up Mary at school at 2pm<
/m
:
msg
>
<
/m
:alert>
<
/env
:Body>
<
/env
:Envelope>
Another Example (Request)
POST
/InStock
HTTP/1.1
Host:
www.example.org
Content-Type: application/soap+xml;
charset=utf-8
Content-Length:

320
<?xml version="1.0"?>
<soap:Envelope
xmlns
:soap=
http://www.w3.org/2001/12/soap-envelope
soap:
encodingStyle="http
://www.w3.org/2001/12/soap-encodin
g">
<soap:Body
xmlns
:
m="http
://www.example.org/stock">

<m:
GetStockPrice
>
<m:
StockName
>IBM<
/m
:
StockName
>
<
/m
:
GetStockPrice
>
</soap:Body>
</soap:Envelope>
5
Another Example (Response)
HTTP/1.1 200 OK
Content-Type: application/soap+xml;
charset=utf-8
Content-Length:

330
<?xml version="1.0"?>
<soap:Envelope
xmlns
:soap="http://www.w3.org/2001/12/soap-envelope"
soap:
encodingStyle="http
://www.w3.org/2001/12/soap-encoding">
<soap:Body
xmlns
:
m="http
://www.example.org/stock">
<m:
GetStockPriceResponse
>
<m:Price>34.5<
/m
:Price>
<
/m
:
GetStockPriceResponse
>
</soap:Body>
</soap:Envelope>
SOAP & WS Security

WS Security defines how security tokens &
claims are used in SOAP messages

Claim - statement about actor or property (think
SAML - assertions)

Token - XML representation of security info
WS-SecureConnection
WS-Federation
WS-Authorization
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP
6
WS-Security

WS-Policy

Think WSDL - only how to understand security tokens

WS-Trust

Defines trust relationships

Delegates & proxies possible

WS-Privacy

Guidance (policy)

for privacy rules
WS-Security

WS-SecureConversation

Creates security context (session)

Key-exchange

XML-Encryption

XML-Signature

WS-Federation

Defines/brokers trust between groups

WS-Authorization

Think XACML

Access List or Role-based
7
Elements & Tokens
<S11:Envelope
xmlns
:S11="..."
xmlns
:
wsse="
...">

<S11:Header>

...

<
wsse
:Security>

<
wsse
:
UsernameToken
>

<
wsse
:Username>
Zoe
<
/wsse
:Username>

<
wsse
:Password>
IloveDogs
<
/wsse
:Password>

<
/wsse
:
UsernameToken
>

<
/wsse
:Security>

...

</S11:Header>

...
</S11:Envelope>
Elements & Tokens
<S11:Envelope
xmlns
:S11="..."
xmlns
:
wsse="
...


xmlns
:
wsu=
"...


<S11:Header>

...

<
wsse
:Security>

<
wsse
:
UsernameToken
>

<
wsse
:Username>NNK<
/wsse
:Username>

<
wsse
:Password Type="...#
PasswordDigest"
>

weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==
<
/wsse
:Password>

<
wsse
:Nonce>WScqanjCEAC4mQoBE07sAQ==<
/wsse
:Nonce>

<
wsu
:Created>2003-07-16T01:24:32Z<
/wsu
:Created>

<
/wsse
:
UsernameToken
>

<
/wsse
:Security>

...

</S11:Header>

...
</S11:Envelope>
8
Elements & Tokens

Can also include binary security data

Certificates

Signatures
example
SOAP Faults

Errors can trigger following faults

wsse
:
InvalidSecurity

wsse
:
InvalidSecurityToken

wsse
:
FailedAuthentication

wsse
:
SecurityTokenUnavailable