View
214
Download
0
Category
Tags:
Preview:
Citation preview
Testing for Security Risks in a Web 2.0/SOA WorldBilly Hoffman, Lead Security Researcher, HP
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies• RSS• Web Services and SOA• AJAX
How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices
Conclusion
What is Web 2.0?
Tim O’Reilly
• Web 2.0 is the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform.
Wikipedia
• Web 2.0...refers to a perceived second-generation of Web based communities and hosted services — such as social networking sites, wikis and folksonomies — that facilitate collaboration and sharing between users.
Web 2.0 Timeline
My Definition
Web 1.0•Incomplete pages were shameful•“Please come back later when we’re ready”
Web 2.0•Incomplete pages are a feature!•“Stick around and help us improve the site”
Same VulnerabilitiesAdditional Input VectorsMore Complexity
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies• RSS• AJAX• Web Services
How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices
Conclusion
Web Feed Reader
Web Feed Technologies
RSS 2.0
• Really Simple Syndication
RSS 0.91 and 1.0
• Rich Site Summary
RSS 0.9
• RDF Site Summary
Atom
• Atom Syndication Format (RFC 4287)
“I love standards…there are so many to choose from…”
Web Feed Timeline
Sample RSS Feed – New York Times<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>NYT > Home Page</title><link>http://www.nytimes.com/index.html?partner=rssnyt</link><description>New York Times > Breaking News, World News & Multimedia</description><language>en-us</language><copyright>Copyright 2007 The New York Times Company</copyright><lastBuildDate>Tue, 1 May 2007 01:05:01 EDT</lastBuildDate>…<item><title>Torre and Cashman Are Safe, for Now</title><link>http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html?
ex=1335672000&en=d3e1e3550cf1a49c&ei=5088&partner=rssnyt&emc=rss</link><description>The Yankees' owner said he supports the team's manager and general manager but
that he is also impatient.</description><author>TYLER KEPNER</author><guid isPermaLink="false">http://www.nytimes.com/2007/05/01/sports/baseball/
01yankees.html</guid><pubDate>Tue, 01 May 2007 00:35:27 EDT</pubDate></item>
Attack Scenarios
• Owner of web feed intentionally injects malicious content into web feed
• Subscribers would be affected when the content was downloaded/viewed
• Not a likely attack scenario as the perpetrator could easily be identified
Malicious Operator
• Attacker compromises trusted host and is able to inject content into heavily subscribed web feed
• Trusted host has already taken care of generating traffic for the attacker
Compromised Host
• Web site allows (un)trusted users to supply content• Content is published and made available via a web feed• An attacker could leverage this setup to inject malicious
content into a web feed• Mailing lists, forums, message boards and other open
venues are often delivered as web feeds
Open Content
Open Content Attack
Input Validation
Input Validation
• Virtually all vulnerabilities result from improper input validation• Attackers supply input for which error handling routines do not exist• This can leave a system in an exploitable condition
Remember…
• …trust, but verify
Channel 14 News
Real time ticker
• Initial submission underwent human validation• Subsequent submissions permitted in real time
Solutions
Server Side
• White listing• Build regular expressions to define appropriate input
• Black listing• Restrict HTML to appropriate tags only• Take extreme care to take all possible encoding schemes into account
• HTML encode user supplied content
Client Side
• Receive content only from trusted sources• Ensure that the RSS/Atom reader being used is not
susceptible to feed injection
Web Services and SOA
Web Services Architecture
DiscoveryAgencies
- UDDI- DISCO- Etc.
ServiceProvider- SOAP- WSDL
`
ServiceRequestor
Interact Find
Publish
Inputs - WSDL
http://api.google.com/GoogleSearch.wsdl
<message name="doGoogleSearch"><part name="key" type="xsd:string"/><part name="q" type="xsd:string"/><part name="start" type="xsd:int"/><part name="maxResults" type="xsd:int"/><part name="filter" type="xsd:boolean"/><part name="restrict" type="xsd:string"/><part name="safeSearch" type="xsd:boolean"/><part name="lr" type="xsd:string"/><part name="ie" type="xsd:string"/><part name="oe" type="xsd:string"/>
</message>...<service name="GoogleSearchService">
<port name="GoogleSearchPort" binding="typens:GoogleSearchBinding"><soap:address location="http://api.google.com/search/beta2"/></port>
</service>
Web Services Challenges
What don’t web services change?
• Web services do not create new vulnerabilities
What do web services change?
• Web applications may advertise input vectors• WSDL files
• Web applications may advertise their existence• UDDI• DISCO
How do web services affect security?
• New input vectors• Testing tools must understand web services protocols
• SOAP
Web Services Attacks
Cross Site Request Forgery
• Abuse the trust established between a browser and server to force unwanted user actions
Cross Site Scripting
• Inject client side script into a web page
SQL Injection
• Ability to influence back end SQL Queries
Session Hijacking
• Ability to predict/intercept session credentials
Etc.
• This list could go on forever
Verdict
• Web Services can be exposed to the same vulnerabilities as web applications!
Myths of Web Service Security
Web services involve machine to machine communication and would/could therefore never be targeted by an attacker• SOAP requests can easily be forged manually or using point and click freeware tools (e.g. Foundstone
WSDigger)• In some ways, web services are a goldmine for an attacker as they advertise their existence and reveal
expected inputs
I can simply strip out this cool functionality and expose it using a web service without compromising security
• Web application security may be left behind when specific pieces of business logic are exposed via a web service
Solution
Web services can and should be just as secure as any other web application but they won’t get there on their own
Web services should go through the same secure coding practices as other applications
Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target.
Solutions
Testing
• Web services should go through the same secure coding practices as other applications
• Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target.
Overall
• Web services can and should be just as secure as any other web application but they won’t get there on their own
Asynchronous JavaScript and XML (AJAX)
AJAX
Google Maps
FireBug
AJAX Defined
Asynchronous
• Requests are initiated in the background
JavaScript
• JavaScript instantiates the XmlHttpRequest object and generates the requests
And XML
• This is a misnomer as AJAX frameworks commonly employ alternate data interchange formats• JSON - Atlas• Serialized Java - Google Web Toolkit• HTML
• XML
AJAX Implementations
Multiple frameworks
• Prototype (http://www.prototypejs.org/)• Script.aculo.us• Dojo (http://dojotoolkit.org/)• ASP.Net AJAX (http://ajax.asp.net/)• Etc.
Multiple browser objects
• Internet Explorer• IE6 - XMLHTTP ActiveX control• IE7 – XMLHTTP native script object
• Firefox• XMLHttpRequest object
AJAX Challenges
What doesn’t AJAX change?
• AJAX does not create new vulnerabilities
What does AJAX change?
• Business logic is dispersed among multiple client side files/functions• Requests are made in the background without user intervention but are just as susceptible to attack
How does AJAX affect security?
• Increased surface area• More business logic is exposed• New input vectors are exposed
• Security tools must understand the XHR objects and their syntax in order to identify input vectors
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies• RSS• AJAX• Web Services
How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices
Conclusion
Input Vectors
Web 1.0 Web 2.0
Attack Vectors
Input vectors
• Input vectors = attack vectors• When identifying input vectors – think broadly
Vulnerabilities
• Vast majority of vulnerabilities result when unexpected user supplied input in not properly sanitized• ANYTHING sent from the client to the server is a potential attack vector
Input Validation
• Validate everything!
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies• RSS• AJAX• Web Services
How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices
Conclusion
Thoughts
Will Web 2.0 usher in the apocalypse?
• No, the sky isn’t falling either• Web 2.0 technologies offer to expand the web with intuitive, content
rich applications, but as with any new technology, they bring new security challenges
What is the greatest security challenge posed by Web 2.0?
• It isn’t new classes of web application vulnerabilities. For the most part, the type of vulnerabilities have remained unchanged while attackers now have new ways to exploit them.
• The greatest security challenge is the same as it is with any new technology. Adopt Web 2.0 technologies to solve a business need, not because it looks cool. When we rush to adopt a new technology for the wrong reasons, we typically leave security behind.
Solutions – HP ASC
Security Throughout the SDLC
Enterprise Application Security Assurance
Assessment Management Platform (AMP)
Source Code
Validation
QA/Integration
Testing
Production Assessment
DevInspect
QAInspect WebInspect
Plan Requirements Design Build ProductionTest
Enterprise Security Assurance & Reporting
Questions
?Billy Hoffman, Lead Security Researcher, HPbhoffman@hp.com
Recommended