Upload
daf-nalz
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
1/47
Copyright 2005 - The OWASP FoundationPermission is granted to copy, distri ute and!or modi"y thisdocument under the terms o" the #$% Free &ocumentation'icense(
The OWASPFoundation
OWAS
PAppSec
DCOcto er
2005 http)!!***(o*asp(org!
Attacking Web Services
Alex StamosFounding Partner, iS C Partners !!Calex"isecpartners#com
$%&'( )*+ -'+.
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
2/47
2OWASP AppSec DC /..'
Talk Agenda
Introduction Who are we? What are Web Services? Where are they being used?
Web Services Technologies and Attacks XML
SOAP Discovery Methods
Traditional Attacks, with a Twist! Demo
P ay a ong with us!
"ew too s
Q&A
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
3/47
#OWASP AppSec DC /..'
Introduction
Who are we? $ounding Partners o% &n%or'ation Security Partners( LL) *iS+) Partners, A-- ication security consu tants and researchers
Wh listen to this talk? As you. see( Web Services are being de- oyed a around us Most o% this wor/ is based u-on our e0-eriences with rea enter-rise web service
a-- ications 1here are a ot o% interesting research o--ortunities
$ind out what we don.t /now
1o get the atest version o% these s ides( and the too s we wi be
de'onstrating htt-s 33www4isec-artners4co'3s-ea/ing4ht'
1he de'o Web Service is at htt- 33wsde'o4isec-artners4co'3WSDe'o3WSDe'o4as'0 P ease don.t nu/e it!
https://www.isecpartners.com/speaking.htmlhttp://wsdemo.isecpartners.com/WSDemo/WSDemo.asmxhttp://wsdemo.isecpartners.com/WSDemo/WSDemo.asmxhttps://www.isecpartners.com/speaking.html8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
4/47
5OWASP AppSec DC /..'
What is this talk?
Introduction to the relevant technologies or securit e"#erts "o bac/ground in Web Services is necessary
Introduce securit risks associated with Web Services $an o the #rotocols and issues are amiliar
) assic a-- ication issues *in6ection attac/s( session 'anage'ent, are stire evant in the WS wor d
P enty o% new -rotoco s and attac/ sur%aces to research %rediction The next couple of years will see an avalanche of
vulnerabilities related to web services issues
This talk is not about WS Securit standards Standards %or cry-to( authori7ation( authentication( etc8 are necessary and
i'-ortant Li/e 1LS( standards i/e this are good bui ding b oc/s( but do not e i'inatevu nerabi ities in an a-- ication
+0 SSL doesn.t -rotect against S9L in6ection
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
5/47
:OWASP AppSec DC /..'
Introduction' What are Web Services?
It(s an overloaded term )and a great wa to raise *+ -
.or our #ur#oses, web services are communication#rotocols that' ;se XML as the base 'eta< anguage to de%ine co''unication Provide co'-uter
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
6/47
=OWASP AppSec DC /..'
Introduction' What are Web Services?
Wh are the so com#elling? Web service standards are bui t u-on we understood techno ogies Ado-tion by arge so%tware vendors has been e0tre'e y >uic/ Web services are so'eti'es described as a -anacea to so ve
intero-erabi ity issues Lots o% 'agic -i0ie dust@ -rovided by vendors
Are very easy to write
using System.ComponentModel;using System.Web.Services;namespace WSTest{
public class Test : System.Web.Services.WebService
{ [WebMethod] public string elloWorld!"
{ return # ello World$; %%
%
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
7/47
OWASP AppSec DC /..'
Introduction' What are Web Services?
*alue to cor#orate management is eas to understand
Fake quoteLets e0-ose our Main%ra'e AP&s through SOAP and use - enti%u
Bava deve o-ers on Windows3Linu0 instead o% rare )&)S deve o-erson e0-ensive 'ain%ra'es to e0tend our syste'.s %unctiona ity4 &% wechange our 'ind about Bava( no -rob e'C ) ( Per ( Python( )EE(and every other anguage is a ready co'-atib e with SOAP4@
With that 'uch 6argon( what PFG cou d say no?
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
8/47
HOWASP AppSec DC /..'
Where are Web Services being used?
/etween +om#anies )/0/- Web services are being de- oyed to re- ace or su-- e'ent o der data
e0change -rotoco s( such as +D& # rd -arty standards i'it "ot &nvented Fere@ syndro'e +0a'- e )redit )ard ) earer
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
9/47
JOWASP AppSec DC /..'
Where are Web Services being used?
In ront o legac s stems $inding -eo- e to deve o- on these syste's is hard Ke iance on o d so%tware and syste's restricts growth and i'-rove'ent o%
cor-orate &1 syste's Solution Web service gateway in %ront o% egacy syste' &GM is a big 'over in this 'idd eware Security in these situations is e0tre'e y tric/y
/etween tiers o Web A##lications $ront end is F1ML3XF1ML Gac/end o% S9L is re- aced by SOAP( XPath( or X9uery
XML enab ed databases consu'e these strea's Ma/es X &n6ection@ very interesting
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
10/47
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
11/47
OWASP AppSec DC /..'
+ode /reaks .ree2
At one -oint( nobody worried about -roviding rich %unctiona ity tothe -ub ic &nternet
Peo- e decided this was a bad idea and -ut u- %irewa s On y F11P( F11PS( SM1P a owed %ro' the outside8
Web Services tunne that %unctiona ity through -orts o%tendee'ed sa%e@
Kich %unctiona ity once again hits the -ub ic &nternet Let.s -ro-ose a new s ogan
Web Services
We poke holes in your firewall so you don t have to!
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
12/472OWASP AppSec DC /..'
3ew Attacks on Web Services Technologies
Web Services have been designed to be ever thing agnostic Qariety o% techno ogies 'ay be encountered at any ayer 1his ta / %ocuses on those co''on y encountered
We will discuss securit issues at three la ers' XML SOAP Discovery
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
13/47#OWASP AppSec DC /..'
4$5 Introduction
What is 4$5? A standard %or re-resenting diverse sets o% data
6e#resenting data is hard work! Ginary Data &nternationa i7ation
Ke-resenting 'etacharacters in data De%ining and Qa idating sche'as Parsing 'echanis's
6esult o large #roblem s#ace
Do7ens o% standards in the XML %a'i y@ XSL1( XSD( XPath( X9uery( D1D( XML
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
14/475OWASP AppSec DC /..'
4$5 Introduction
/ased on a ew basic but strict rules' Dec arations 1ags 'ust o-en and c ose 1ags 'ust be -ro-er y nested )ase sensitive Must have a root node
Wh do we care about the rules? Attac/ing web services genera y 'eans creating va id XML &% your XML doesn.t -arse right( it gets dro--ed ear y on $u77ing XML structure 'ight be %un( but you.re on y hitting the -arser
Sim#le e"am#le o an element' &car'
&manu(acturer'Toyota&)manu(acturer' &name'Corolla&)name'
&year'*++,&)year' &color'blue&)color' &description'- cellent condition/ ,++0 miles&)description'
&)car'
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
15/47:OWASP AppSec DC /..'
4$5 Introduction
.ull 5egal 4$5 Document w7 Schema 6e erence and 3ames#ace'
&1 ml version2#,.+# encoding2#3S4566785,#1'
&car mlns2#http:))999.isecpartners.com# mlns: si2#http:))999.9 .org)*++,) M
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
16/47=OWASP AppSec DC /..'
4$5 Introduction 8 Schemas
4$5 Documents are de ined b ' D1D O d Standard XSD )urrent Standard 1ld Attack Ke%erence e0terna D1D < a ows trac/ing o% docu'ent( -arsing based DoS
attac/s
4SDs can be standard or custom Standard bodies use the' to de%ine %i e %or'ats
Most WS a-- ications use custo' XSD "ot easy i% you desire strict va idation
4$5 Schemas are used to' De%ine the re ationshi-( order( and nu'ber o% e e'ents
+0 )o or is an e e'ent o% car( the is on y one
De%ine the data ty-e and -er'issib e data +04 )o or is a string( and can contain RA< TRa
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
17/47
OWASP AppSec DC /..'
4$5 Introduction 8 Schemas
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
18/47HOWASP AppSec DC /..'
4$5 Introduction 8 %arsing
There are two standard t #es o 4$5 #arsers used across #lat orms
SA4 State
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
19/47JOWASP AppSec DC /..'
4$5 In9ection
:merging attack class' 4$5 In9ection Occurs when user in-ut -assed to XML strea' XML -arsed by second
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
20/47
2N
OWASP AppSec DC /..'
4%ath In9ection
4%ath is a ;sim#le< language to locate in ormation in an 4$5document )ross between directory browsing and Keg+0 XPath 24N is the basis %or X9uery anguage( XML successor to S9L
1ur car e"am#le' &car'
&manu(acturer'Toyota&)manu(acturer'
&name'Corolla&)name' &year'*++,&)year' &color'blue&)color' &description'- cellent condition/ ,++0 miles&)description'
&)car'
4%ath :"am#les ' car @ returns a chi dren o% car node 3car @ returns the root car e e'ent 33car @ returns a car e e'ents in the docu'ent car33co or @ returns a co ors under car e e'ent 33car3Rco orUVb ue.T @ returns a cars that have a co or chi d e>ua to b ue
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
21/47
2OWASP AppSec DC /..'
4%ath In9ection
4%ath is o ten used to access a ;4$5 :nabled< Database
S9L Server 2NNN Orac e *HiE, Access 2NN2E &GM &n%or'i0 Ger/e ey DG XML < "ative XML Database@
What is the #roblem? Li/e S9L( XPath uses de i'iters to se-arate code and data
Our o d %riend( sing e >uote V
;n i/e S9L 1here is no access contro inherent in XML or XPath
Pre-ared state'ents@ are rare y used( not guaranteed sa%e &% an attac/er can contro data in an XPath state'ent( they can access
arbitrary -arts o% the XML %i e( or return arbitrary data
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
22/47
22
OWASP AppSec DC /..'
4%ath In9ection An e"am#le use o 4%ath 8 5ooking u# =sername7%assword in 4$5
## ser n me=@ Aoe B nd ss=@ le!mein BC or userid @ or >( >
## ser n me=@ AoeB or serid=1 or @B=@ B ndss=@ le!mein BC# serid
Keturn a o% the users with useridU @
With Sim#le 4%ath In9ection' > or @ @ or >( >
## ser n me=@ AoeB or 1=1 or @B=@ B nd ss=@ le!mein BC
Keturn a o% the users@
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
23/47
2#
OWASP AppSec DC /..'
4%ath In9ection
5ike SQ5 In9ection, re uires some knowledge o uer Much easier with error 'essages A'it ein o% Sanctu' wrote an e0ce ent -a-er G ind XPath &n6ection@
) ai's to have too to e0tract XML bit
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
24/47
25
OWASP AppSec DC /..'
1ur .riend' +DATA .ield
4$5 has a s#eci ic techni ue to include non legal characters in data,
the +DATA ield Deve o-ers assu'e that certain data ty-es cannot be e'bedded in XML( and theseassu'-tions can ead to vu nerabi ities
When >uerying a standard co''ercia XML -arser( the )DA1A co'-onent wi bestri--ed
1he resu ting string contains the non
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
25/47
2:
OWASP AppSec DC /..'
S1A% Introduction
S1A% is a standard which de ines how to use 4$5 toe"change data between #rograms Designed to ca-ture KP)uired
MSM9( SM1P( )arrier Pigeon
The ;magic< o Web Services begins Progra''ing in%rastructure turns J< ine code sa'- e into %u
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
26/47
2=
OWASP AppSec DC /..'
S1A% WSD5s
S1A% Inter aces are described using Web Services Descri#tion
5anguage )WSD5- WSDLs can be >uite co'- icated enera y not created or consu'ed by hu'an being
Auto
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
27/47
2OWASP AppSec DC /..'
S1A% WSD5s
What do WSD5s de ine? t #es Data ty-es that wi be used by a web service
We wi use XML Sche'a standard strings and integers@
message A one way 'essage( 'ade u- o% 'u ti- e data e e'ents4 Message Guy)ar inc udes string Manu%acturer and string Mode @
#ortT #e' A set o% 'essages that de%ine a conversation Purchase ) ient sends 'essage Guy)ar and receives 'essage Kecei-t@
binding' Detai s on how this web service is i'- e'ented with SOAP We wi be using KP) doc ty-es using these na'es-aces@
service 1he ocation where this service can be %ound ou can use -urchase at htt- 33-reY-Nwn#dYcars4co'3webservice4as-0@
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
28/47
2H
OWASP AppSec DC /..'
:"am#le WSD5' :/a %rice Watching
< message n me="ge!; rren! rice e/ es!"> < r! n me=" c!ionHid" ! e = "xsd:s!ring"#> < r! n me="re! rn" ! e = "xsd: lo !"#>
< portType n me="eF G !cher or! e">
< binding n me="eF G !cherFinding"! e="!ns:eF G !cher or! e">
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
29/47
2J
OWASP AppSec DC /..'
S1A% WSD5 :"#osure
Attack' WS"#s $ive away all of the sensitive infor%ation needed to
attack a web application 1his inc udes hidden@ or debug 'ethods that deve o-ers 'ight not want e0-osed 1hese 'ethod have a ways e0isted
Kea danger with a-- ications -orted@ to web services %ro' nor'a web inter%ace
+om#anies have alwa s had ;cru t< s stems that are #rotected bobscurit ou /now about that NNAM $1P batch 6ob your co'-any does unencry-ted over the
&nternet4 Do you want everybody in this roo' to /now about it? +0tranets( custo'er -orta s( one
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
30/47
#N
OWASP AppSec DC /..'
S1A% Attacks
S1A% Eeaders
Provide instructions on how a 'essage shou d be hand ed O%ten not necessary in basic a-- ications Sti -arsed3obeyed by WS %ra'ewor/s So 'any standards( so 'any attac/ sur%aces
Feader a ows arbitrari y co'- e0 XML to su--ort %uture standards Attack XML )o'- e0ity DoS in SOAP Feader
"ot chec/ed against XSD
Attack' Source routing used to by-ass security chec/s Kouting wi beco'e 'ore co''on as co'-anies -rovide uni%ied WS inter%aces to
'u ti- e 'achines Possib y -rovided by XML $irewa @ devices
S1A%Action Eeader So'eti'es needed( so'eti'es %i tered to atte'-t to re'ove soa- re>uests4
O%ten not re>uired at a 4 )on%igurab e in 4"+1 with KoutingSty e attributes
Attack Gy-ass -rotections that re y on SOAPAction
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
31/47
#OWASP AppSec DC /..'
S1A% Attacks
Session management SOAP( i/e F11P( is state ess! Deve o-ers need to -rogra' their own state 'echanis'4 O-tions inc ude
&n< ine Session&D( de%ined )oo/ie in header
SOAP is trans-ort inde-endent( so a 'essage shou d be ab e to be -assedwithout session in%or'ation %ro' the trans-ort( such as a F11P coo/ie
O%ten used( but it.s a hac/ Attack )oo/ies 'ight be stri--ed at the web server( or not -ro-er y routed to the
-art o% the a-- where decisions are being 'ade4 Watch out!
"ew WS
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
32/47
#2
OWASP AppSec DC /..'
:"am#le S1A% $essage
S#ot the attack!
< ser* me xsi:! e="xsd:s!ring">K
< ss$ord xsi:! e="xsd:s!ring">de l!
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
33/47
##
OWASP AppSec DC /..'
S1A% .ault
:"am#le .ault rom 4%ath In9ection
< l!code>so :Server
< l!s!ring>Server $ s n 2le !o rocess re/ es!. --Lg!MK#4sers#4ser !!ri2 !e::)ogin=KKK nd
!!ri2 !e:: ss$ord=Kde l!KC#NK h s n inv lid
!o en.
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
34/47
#5
OWASP AppSec DC /..'
Web Services DoS
We have created several 4$5 com#le"it DoS attacks
Si'- e P+KL re- ays o% SOAP re>uests Ab e to rando'i7e session in%or'ation Most attac/ A-- ication Server 3 XML Parser( not a-- ication ogic itse %
5ike all DoS, looking or multi#lier advantage +%= Time
+0tre'e y dee- structures re>uire )P; ti'e to -arse and search Ke%erences to e0terna docu'ents
)ause networ/ ti'eout during -arsing( 'ay b oc/ -rocess )reating a correct DOM %or co'- e0 XML is not trivia
$emor S#ace Dee- and broad structures Large a'ounts o% data in %re>uent y used %ie ds wi be co-ied severa ti'es be%ore being de eted Me'ory e0haustion is a 'ost i'-ossib e against -roduction syste's( but creating garbage
co ection 3 QM overhead 'ight s ow the syste' Database +onnections
A-- ications o%ten use %i0ed DG connection -oo s Des-ite ow )P;3'e' oad( %i ing the DG re>uest >ueue can wait state an a-- ication to death "eed to %ind a good SOAP re>uest that does not re>uire auth( but resu ts in a heavy DG >uery
Per%ect e0a'- e &nitia ;ser Authentication A -roduction site 'ight have N
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
35/47
#:
OWASP AppSec DC /..'
Web Services DoS
In an WS DoS case, there are im#ortant details to make the
attack e ective Lega ity o% SOAP re>uest
Matches D1D3XSD Synta04 1his 'ight not -rec ude e'bedding co'- e0 structures! Matches rea SOAP Method
Anything that burrows@ dee-er into the a-- ication stac/ causes 'ore oad +s-ecia y i'-ortant when attac/ing databases
Might need a va id session &D Authenticate once with a rea SOAP stac/( then co-y the Session&D3coo/ie
into the static attac/
S-eed We use 'u ti- e -rocesses Ma/ing a re>uest is re ative y heavy co'-ared to other DoS
Ke>uires a rea 1)P connection Don.t use a SOAP %ra'ewor/4 Most o% the 'u ti- ier is ost "eed to isten %or res-onse %or so'e attac/s
We o%ten run into i'itations o% the under ying Per %ra'ewor/ Attac/ scri-ts run better on Linu0 Per than ActiveState on Windows
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
36/47
#=
OWASP AppSec DC /..'
Web Service DoS' The A termath
We are currentl researching some more #ossibilities Attac/s against XPath e>uiva ent to recent Keg+0 DoS ;sing F11P 4 -i-e ining to s-eed attac/ SOAP e>uiva ents o% teardro-@ attac/s against state 'u ti- e %rag'ented
re>uests
De ense isn(t eas
A-- ication server vendors need to add DoS into negative 9A testing 1here doesn.t see' to be 'uch custo'er de'and yet DoS yourse % be%ore so'ebody e se does it %or %ree
"eed to chec/ co'- e0ity be%ore -arsing Secure SOAP hand er &SAP& %i ter
XML $irewa @ ;se strict XML Sche'a veri%ication Watch out %or < n > e e'ent
Don.t %orget the noo/s and crannies@ attac/ers can shove code into SOAP Feaders!
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
37/47
#OWASP AppSec DC /..'
Web Service Discover $ethods
=DDI
Kegistries that ist web services across 'u ti- e servers Auto
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
38/47
#H
OWASP AppSec DC /..'
=/6 :"am#le
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
39/47
#J
OWASP AppSec DC /..'
Web Service Discover
Service 1riented Architectures Another Q) 'agnet bu77word Means de ayed binding o% a-- ications
Wor d o% syste's %inding and ta /ing to other syste's autono'ous y Wi a ways re>uire o-en registries o% web service in%or'ation Wi eventua y need -ro-er P & in%rastructure
1ther Frd %art 6egistries htt- 33www40'ethods4net3 has an e0ce ent ist o% %un services
DIS+1 7 WS Ins#ection Lightweight versions o% ;DD& Provides in%or'ation about a sing e server.s web services D&S)O %i es are auto'agica y generated by Qisua Studio 4"et
htt- 33wsde'o4isec-artners4co'3WSDe'o3de%au t4vsdisco
http://www.xmethods.net/http://www.xmethods.net/8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
40/47
5N
OWASP AppSec DC /..'
Traditional A##lication Attacks
:ver )most- a##lications accom#lish something use ul
1here is a ways so'ething to attac/
A##lication s#eci ic laws don(t magicall go awa Design $ aws
Gusiness Logic +rrors Gad &dea@ Methods
The same issues )1WAS% To# @C- that have #lagued us orears still e"ist
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
41/47
5OWASP AppSec DC /..'
Traditional A##lication Attacks
SQ5 In9ection
Most web service a-- ications are sti bac/ed by databases SOAP3XML -rovide 'eans to esca-e3ob%uscate 'a icious characters
1ver lows in unmanaged code Severa %ra'ewor/s e0ist to wra- o d code in web services
B3et 6emoting Win#2 )OM Ob6ects e0-osed through SOAP
Gac/end -rocessing syste's are o%ten sti egacy $istakes in authoriGation7authentication
Worsened by state ess nature o% SOAP and ac/ o% industry standard%or state 'anage'ent
Auto
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
42/47
52
OWASP AppSec DC /..'
Traditional A##lication Attacks
4SS
Kich data re-resentation a ows charset ga'es with browsers 1echno ogies such as ABAX a ow new -ossibi ities in XSS attac/s
)reating a we %or'ed SOAP re>uest can be di%%icu t %ro' scri-t "eeds research XSS code that inter%aces with e0isting XMLF11P ob6ect to
-er%or' actions in the ABAX a-- ication
Attac/s against other inter%aces *such as interna custo'er su--ort,'ore i/e y
;se web service to insert 'a icious scri-t( ca
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
43/47
5#
OWASP AppSec DC /..'
1ur Attack Tools
WS/ang
1a/es ;KL o% WSDL as in-ut )an be %ound using WSMa- $u77es a 'ethods and -ara'eters in the service
&denti%ies a 'ethods and -ara'eters( inc uding co'- e0 -ara'eters $u77es -ara'eters based on ty-e s-eci%ied in WSDL
De%au t va ues can be s-eci%ied as we
Ke-orts SOAP res-onses and %au ts
$uture wor/ Su--ort docu'ent
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
44/47
55
OWASP AppSec DC /..'
Attack Tree' T ing it all Together
"avigate to ;GK( as/ %or a site
Attach to ;DD& server( as/ %or ist o% services As/ service %or its WSDL +0a'ine WSDL( %ind dangerous 'ethods ;se WSGang to test 'ethods( %ind XML &n6ection
;se XML &n6ection to change your userYid Pro%it!
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
45/47
5:
OWASP AppSec DC /..'
1WAS% To# @C 8 Still 6elevant?
@B =nvalidated In#ut
0B /roken Access +ontrolFB /roken Authentication and Session $anagementHB +ross Site Scri#ting )4SS- .laws
B /u er 1ver lows
JB In9ection .lawsKB Im#ro#er :rror EandlingLB Insecure StorageMB Denial o Service@CBInsecure +on iguration $anagement
The answer to all o these is :S B
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
46/47
5=
OWASP AppSec DC /..'
+onclusion
Web Services are #ower ul, eas to use, and o#enB
A A they are e0traordinari y dangerous Many crusty cor-orate secrets wi now be e0-osed
5ots o securit work still re uired Ana ysis o% ra-id y deve o-ing Web Services standards
WS
8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services
47/47
Web Services Securit
Demo!
Ale" Stamosale"Nisec#artnersBcom
mailto:[email protected]:[email protected]