.NET Web Services Hacking – Scan, Attacks and Defense OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Shreeraj Shah Founder & Director, Blueinfy [email protected] 91+987-902-7018 Copyright © 2007
Download ReportTranscript .NET Web Services Hacking – Scan, Attacks and Defense OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Shreeraj Shah Founder & Director, Blueinfy [email protected] 91+987-902-7018 Copyright © 2007
.NET Web Services Hacking – Scan, Attacks and Defense OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Shreeraj Shah Founder & Director, Blueinfy [email protected] 91+987-902-7018 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ Who am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) http://shreeraj.blogspot.com [email protected] Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’reilly, DevX, InformIT, etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, wsChess, etc. Advisories - .Net, Java servers, etc. Books (Author) Hacking Web Services (Thomson 2006) Web Hacking (AWL 2003) Web 2.0 Security (Work in progress) Tools – http://www.blueinfy.com/tools.html OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Agenda Web Services in an era of Web 2.0 .NET Web Services Assessment Methodology Footprinting and Discovery Enumeration, Profiling and Fingerprinting Attack Vectors Scanning and Fuzzing .NET Web Services Defense Methodology Code Scanning & Secure Coding Web Services Firewall (Content Filtering) Conclusion OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Web Services on the rise with Web 2.0 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey) By the end of 2007, 30 percent of large companies will have some kind of Web 2.0based business initiative up and running. (Gartner) 2008. Web Services or Service-Oriented Architecture (SOA) will surge ahead. (Gartner) OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Web Services and Web 2.0 Documents News Browser Weather Ajax RIA (Flash) Emails Bank/Trade Internet Internet RSS feeds HTML / JS / DOM Web Services Blog Local Application Database Authentication OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Consuming Web Services Browser Ajax Flash / RIA HTML/CSS JavaScript Widget DOM Structures Protocols JSON-RPC XML REST JSON XML-RPC SOAP Server-Side Services SaaS Open APIs HTTP(S) OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Methodology Blackbox Insecure Web Services Whitebox Footprinting & Discovery Enumeration & Profiling Code / Config Scanning Vulnerability Detection Defense & Countermeasure Secure Coding Web Services Firewall Secure Web Services OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Footprinting and Discovery Objective: Discovering Web Services running on application domain. Methods Primary discovery Crawling and spidering Script analysis and page scrubbing Traffic analysis Secondary discovery Search engine queries UDDI scanning OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Primary Discovery Crawling the application and mapping file extensions and directory structures, like “.asmx” Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services. Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Primary Discovery - Demos Page scanning with grep – Look in JavaScripts for URLs, Paths etc. Crawling – Simple! Scanning for Atlas references – Framework creates stubs and proxy. – scanweb2.0/scanatlas Urlgrep can be used as well. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Secondary Discovery Searching UDDI server for Web Services running on particular domain. Three tactics for it – business, services or tModel. Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype” Look for “asmx” wsScanner – Discovery! Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Enumerating and Profiling Fingerprinting .Net framework and Client side technologies – Dojo or Atlas … Scanning WSDL Looking for Methods Collecting In/Out parameters Security implementations Binding points Method signature mapping Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Risk - In transit In transit Sniffing or Spoofing WS-Routing security concern Replay attacks OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Risk - Web services Engine Buffer overflow XML parsing attacks Spoiling Schema Complex or Recursive structure as payload Denial of services Large payload OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Web services Deployment - Risk Fault code leaks Permissions & Access issues Poor policies Customized error leakage Authentication and Certification OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Web services User code - Risk Parameter tampering WSDL probing SQL/LDAP/XPATH/OS command injection Virus/Spyware/Malware injection Bruteforce Data type mismatch Content spoofing Session tampering Format string Information leakage Authorization OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Scanning strategies Manual invocation and response analysis. Dynamic proxy creation and scanning. Auto auditing for various vectors. Fuzzing Web Services streams – XML or JSON Response analysis is the key Look for fault code nodes Enumerating fault strings Dissecting XML message and finding bits Hidden error messages in JSON Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A1 - Cross Site Scripting (XSS) XSS is possible through Web Services. It would be DOM based XSS via eval(). JSON-RPC based stream coming in the browser and get injected into DOM. Source of stream can be of third party and Untrusted. XML streams coming in the browser and can cause XSS via document.write call. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A2 - Injection Flaws Web Services methods are consuming parameters coming from end users. It is possible to inject malicious characters into the stream. It can break Web Services code and send faultsting back to an attacker Various injections possible – SQL and XPATH Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A3 - Malicious File Execution Malicious command can be injected through the parameter. WS supports attachments as well and that can lead to uploading a file. This can give remote command execution capability to the attacker. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A4 - Insecure Direct Object Reference Injecting characters to break file system sequences. Faultcode spits out internal information if not protected. Customized error shows the file refernces. Access to internal file and full traversal to directories Inspecting methods and parameters in the profile stage can help. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A5 - Cross Site Request Forgery (CSRF) CSRF with XML streams XML-RPC or SOAP based request can be generated from browsers. Splitting form and XML injection is possible – interesting trick. If Content-Type is not validated on the server then it can cause a potential CSRF. XForms usage in browser can produce XML requests to attack CSRF. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A6 - Information Leakage and Improper Error Handling SOAP based Web Services throws faultcode and faultstrings back to the client. Information can be embedded in it. It try/catch is not well implemented then default error from .NET framework. Published vulnerabilities with leakage information providing references to file, ldap, etc. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A7 - Broken Authentication and Session Management Web Services are having session management binding. It is possible to have methods supporting session in .NET Session identifier disclosure can lead to hijacking of Web Services SOAP message can be bruteforce as well – poor passwords and multiple trial WS-Security can be used around it OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A8/A9 - Insecure Cryptographic and Communication Implementation of WSE security Web Services traffic not going over SSL XML-Security or nodes encryption – if cracked or decrypt Sessions are established on the tokens, goes over wire in clear text Analysis needs to be done in the case of mashup and API calls. Several applications and widgets are making backend API calls in clear text (user/pass) OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 A10 - Failure to Restrict URL Access In Web Services instead of URL – methods. WSDL scanning and disclosures can weaken the Services. Some internal methods are out in public. Admin APIs can be accessed. These internal methods can be used to attack Web Services. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Code Analysis for Web Services Scanning the code base. Identifying linkages. Method signatures and inputs. Looking for various patterns for SQL, LDAP, XPATH, File access etc. Checking validation on them. Code walking and tracing the base - Key Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Code filtering with IHTTPModule Regular firewall will not work Content filtering on HTTP will not work either since it is SOAP over HTTP/HTTPS SOAP level filtering and monitoring would require ISAPI level filtering is essential SOAP content filtering through IHTTPModule OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Code filtering with IHTTPModule IIS Web Server web2wall Reject Web Services Client IIS .Net Web Server Web HTTP Services Stack SOAP Envelope Rules for SOAP OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Code filtering with IHTTPModule SOAP Input Envelope <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"> <id xsi:type="xsd:string">12123</id> </q1:getInput> </soap:Body> <id xsi:type="xsd:string">12123</id> Web Services Client .Net Web Services .asmx file Bal=$2500 <ns1:getInputReturn xsi:type="xsd:string"> $2500 </ns1:getInputReturn> SOAP Output Envelope id=12123 web2wall IIS web server DB OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 HTTP Stack for IIS Web Application Client Request Response IIS aspnet_isapi.dll HttpModule HttpApplication HttpModule HttpModule HttpHandler 146 Web& Application Resource OWASP WASC AppSec 2007 Conference – San Jose – Nov 2007 HTTP Stack HttpRuntime HttpApplicationFactory HttpApplication IHttpModule HttpContext HttpRequest HttpResponse HttpHandlerFactory Handler 147 IHttpHandler OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 HTTP Stack for .Net HttpRuntime HttpApplicationFactory HttpApplication Web Application Firewall & IDS IHttpModule HttpHandlerFactory Handler OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 148 IHTTPModule for Web Services Firewall Code walkthrough – Events and Hooks Loading the DLL Setting up the rules Up and running! Demo. Demo OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Conclusion Web Services can be vulnerable to various attack vectors. Footprinting and Discovery are starting points. Scanning and Auditing can help in finding holes. Fuzzing is also an important aspect. Top 10 – OWASP, for Web Services Scanning the code is equally important. Web Services Firewall – Armoring the app. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 .NET Web Services Hacking – Scan, Attacks and Defense OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Thanks! Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/