Attacking Web Services Jason Alexander Jason.alexander@owasp.org OWASP 17.03.2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of.

Attacking Web Services Jason Alexander [email protected] OWASP 17.03.2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of.

Transcript Attacking Web Services Jason Alexander [email protected] OWASP 17.03.2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of.

Attacking Web Services
Jason Alexander
[email protected]
OWASP
17.03.2010
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
What are Web Services?
No single definition
SOA, SOAP, REST, XML, WSDL, UDDI
“A web service is a software component developed to
support interoperability over a network using an
interface described in WSDL. Other systems
communicate with the web service using SOAP
messages that are typically transported using the HTTP
protocol with XML messaging.”
OWASP
2
What are Web Services..cont
 For our purposes, web services are
communication protocols that:
Use XML as the base meta language
Provide computer to computer communication
Use standard protocols, often in line with W3C,
OASIS and WS-I
Designed to be platform and transport independent
OWASP
3
What are Web Services..cont
Why are they popular?
- Quote
“lets expose our mainframe API’s through SOAP
and use plentiful Java developers on Win/Lin
instead of rare CICS developers on expensive
mainframes to extend system functionality”
With an argument like that, what PHB could say
no?
OWASP
4
What are Web Services..cont
Usually deployed over port 80/443
Web Services
We poke holes in your firewall so you don’t have to
OR
FBP -Firewall bypass protocol
OWASP
5
Threats
All the “usual suspects”
Injection Attacks
Scripting Attacks
Broken Authentication
Security Mis-configuration
OWASP Top 10 any one? And more………
OWASP
6
Attacking Web Services
Follows basic concept of Web Application attacks
Discovery
Enumeration & information Gathering
Identifying Attack Vectors
Exploitation
Whitebox assessment – code analysis
OWASP
7
Discovery
Find Web Services entry points
This is in the WSDL
How to find the WSDL?
UDDI –Universal Description Discovery and
Integration
UBR – Universal Business Registry
Google is your friend !
inurl:wsdl site:example.com
OWASP
8
Discovery..cont
OWASP
9
Discovery..cont
OWASP
10
Discovery..cont
Google Sample inurl:wsdl site:nhs.uk
www.show.scot.nhs.uk/FindNearest/findnearest.asmx
?WSDL
www.nhshighland.scot.nhs.uk/Search/_vti.../search.a
smx?WSDL
www.uhsm.nhs.uk/_vti_bin/sites.asmx?wsdl
Crawling technique
wget –l 50 –r http://192.168.1.10
Find . –name *wsdl*
OWASP
11
Enumeration & information Gathering
Standard Web application enumeration
telnet 192.168.1.10 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server Microsoft-IIS/5.0
X-Powered-By:ASP.net
OWASP
12
Enumeration & information Gathering..cont
WSDL – All an attacker needs to know to
interface with the service
Auto-Generated by WS framework
Generally not created or consumed by humans
No access controls generally enforced on
WSDL’s
Do you really need to provide a WSDL ?????
OWASP
13
Enumeration & information Gathering..cont
WSDL Example: Ebay Price Watching
<?xml version="1.0"?>
<definitions name="eBayWatcherService"
targetNamespace=
"http://www.xmethods.net/sd/eBayWatcherService.wsdl"
xmlns:tns="http://www.xmethods.net/sd/eBayWatcherServic
e.wsdl"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/">
<messagename ="getCurrentPriceRequest">
<part name="auction_id" type = "xsd:string"/>
</message>
<message name="getCurrentPriceResponse">
<part name="return" type = "xsd:float"/>
</message>
<portTypename="eBayWatcherPortType">
<operation name="getCurrentPrice">
<input
message="tns:getCurrentPriceRequest"
name="getCurrentPrice"/>
<output
message="tns:getCurrentPriceResponse"
name="getCurrentPriceResponse"/>
</operation>
</portType>
<binding name="eBayWatcherBinding"
type="tns:eBayWatcherPortType">
<soap:binding
style="rpc"
transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="getCurrentPrice">
<soap:operationsoapAction=""/>
<input name="getCurrentPrice">
<soap:body
use="encoded"
namespace="urn:xmethods-EbayWatcher"
encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
/>
</input>
<output name="getCurrentPriceResponse">
<soap:body
use="encoded"
namespace="urn:xmethods-EbayWatcher"
encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
/>
</output>
</operation>
</binding>
OWASP
14
Enumeration & information Gathering..cont
Using Tools to profile web services
wsKnight
Wsdigger
SoapUI etc
DEMO
OWASP
15
Attack Vectors
Most of the web application attack vectors can
be applied to web services
Injection & Scripting attacks apply
Specific SOAP orientated attacks
XML Poisoning
SOAP message brute forcing
SOAP parameter manipulation
XML parser attacks
Could take a whole lot of time to discuss all
attacks!
OWASP
16
Attack Vectors..cont
Spot the attack!
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/1999/XMLSchema">
<SOAP-ENV:Body>
<ns1:LogOnUser xmlns:ns1="http://www.isecpartners.com/WebServices/TestService/" SOAPENC:root="1">
<userNamexsi:type="xsd:string">'</userName>
<password xsi:type="xsd:string">default</password>
</ns1:LogOnUser>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
OWASP
17
Attack Vectors..cont
DEMO
OWASP
18
Counter Measures
Do you need a WSDL?
Has it been sanitised?
Secure coding. Utilise OWASP resources
OWASP Coding guide – Input validation
OWASP TOP 10
OWASP Testing Guide
OWASP WS project – needs volunteers
 http://www.owasp.org/index.php/Category:OWASP_Web_Servic
es_Security_Project
OWASP
19
Counter Measures..cont
Protect messages in transit
TLS is the BEST option and fits most models
XML signing and encryption have their uses but are
difficult to implement
WS-Security
Web Application Firewalls (WAF)
Do they work in a SOAP/XML environment?
New breed of technology – XML gateways!
Regular firewalls do not work!
OWASP
20
Resources




DISCO: http://msdn.microsoft.com/en-us/magazine/cc302073.aspx
UDDI OASIS Standard: http://www.oasis-open.org/specs/index.php#uddiv3.0.2
Understanding UDDI: http://www-128.ibm.com/developerworks/webservices/library/ws-featuddi/index.html
WebServices Testing: http://www.aboutsecurity.net
Tools








Net Square wsPawn
OWASP WebScarab: Web Services plugin
Mac OSX Soap Client: http://www.ditchnet.org/soapclient
Foundstone WsDigger: http://www.foundstone.com/us/resources/proddesc/wsdigger.htm
SoapBox http://www.vordel.com/products/soapbox/
SoapUI: http://www.soapui.org/
SOAPClient4XG: http://www-128.ibm.com/developerworks/xml/library/x-soapcl/
CURL: http://curl.haxx.se
On-line tools





Web Services Directory: http://www.wsindex.org
Seekda: http://seekda.com/
UDDI Browser: http://www.soapclient.com/
Xmethods: http://www.xmethods.net
WSIndex: http://www.wsindex.org
OWASP
21
References
 www.owasp.org
Hacking web services by Sheeraj Shah
How to Break Web Software by Mike Andrews
and James Whittaker
Attacking Web Services by Alex Stamos
OWASP
22