AppSec2005DC-Alex Stamos-Attacking Web Services

8/9/2019 AppSec2005DC-Alex Stamos-Attacking Web Services

1/47

Copyright 2005 - The OWASP FoundationPermission is granted to copy, distri ute and!or modi"y thisdocument under the terms o" the #$% Free &ocumentation'icense(

The OWASPFoundation

OWAS

PAppSec

DCOcto er

2005 http)!!***(o*asp(org!

Attacking Web Services

Alex StamosFounding Partner, iS C Partners !!Calex"isecpartners#com

$%&'( )*+ -'+.


2/47

2OWASP AppSec DC /..'

Talk Agenda

Introduction Who are we? What are Web Services? Where are they being used?

Web Services Technologies and Attacks XML

SOAP Discovery Methods

Traditional Attacks, with a Twist! Demo

P ay a ong with us!

"ew too s

Q&A


3/47

#OWASP AppSec DC /..'

Introduction

Who are we? $ounding Partners o% &n%or'ation Security Partners( LL) *iS+) Partners, A-- ication security consu tants and researchers

Wh listen to this talk? As you. see( Web Services are being de- oyed a around us Most o% this wor/ is based u-on our e0-eriences with rea enter-rise web service

a-- ications 1here are a ot o% interesting research o--ortunities

$ind out what we don.t /now

1o get the atest version o% these s ides( and the too s we wi be

de'onstrating htt-s 33www4isec-artners4co'3s-ea/ing4ht'

1he de'o Web Service is at htt- 33wsde'o4isec-artners4co'3WSDe'o3WSDe'o4as'0 P ease don.t nu/e it!
https://www.isecpartners.com/speaking.htmlhttp://wsdemo.isecpartners.com/WSDemo/WSDemo.asmxhttp://wsdemo.isecpartners.com/WSDemo/WSDemo.asmxhttps://www.isecpartners.com/speaking.html


4/47


What is this talk?

Introduction to the relevant technologies or securit e"#erts "o bac/ground in Web Services is necessary

Introduce securit risks associated with Web Services $an o the #rotocols and issues are amiliar

) assic a-- ication issues *in6ection attac/s( session 'anage'ent, are stire evant in the WS wor d

P enty o% new -rotoco s and attac/ sur%aces to research %rediction The next couple of years will see an avalanche of

vulnerabilities related to web services issues

This talk is not about WS Securit standards Standards %or cry-to( authori7ation( authentication( etc8 are necessary and

i'-ortant Li/e 1LS( standards i/e this are good bui ding b oc/s( but do not e i'inatevu nerabi ities in an a-- ication

+0 SSL doesn.t -rotect against S9L in6ection


5/47

:OWASP AppSec DC /..'

Introduction' What are Web Services?

It(s an overloaded term )and a great wa to raise *+ -

.or our #ur#oses, web services are communication#rotocols that' ;se XML as the base 'eta< anguage to de%ine co''unication Provide co'-uter


6/47

=OWASP AppSec DC /..'


Wh are the so com#elling? Web service standards are bui t u-on we understood techno ogies Ado-tion by arge so%tware vendors has been e0tre'e y >uic/ Web services are so'eti'es described as a -anacea to so ve

intero-erabi ity issues Lots o% 'agic -i0ie dust@ -rovided by vendors

Are very easy to write

using System.ComponentModel;using System.Web.Services;namespace WSTest{

public class Test : System.Web.Services.WebService

{ [WebMethod] public string elloWorld!"

{ return # ello World$; %%

%


7/47

OWASP AppSec DC /..'


*alue to cor#orate management is eas to understand

Fake quoteLets e0-ose our Main%ra'e AP&s through SOAP and use - enti%u

Bava deve o-ers on Windows3Linu0 instead o% rare )&)S deve o-erson e0-ensive 'ain%ra'es to e0tend our syste'.s %unctiona ity4 &% wechange our 'ind about Bava( no -rob e'C ) ( Per ( Python( )EE(and every other anguage is a ready co'-atib e with SOAP4@

With that 'uch 6argon( what PFG cou d say no?


8/47

HOWASP AppSec DC /..'

Where are Web Services being used?

/etween +om#anies )/0/- Web services are being de- oyed to re- ace or su-- e'ent o der data

e0change -rotoco s( such as +D& # rd -arty standards i'it "ot &nvented Fere@ syndro'e +0a'- e )redit )ard ) earer


9/47

JOWASP AppSec DC /..'

Where are Web Services being used?

In ront o legac s stems $inding -eo- e to deve o- on these syste's is hard Ke iance on o d so%tware and syste's restricts growth and i'-rove'ent o%

cor-orate &1 syste's Solution Web service gateway in %ront o% egacy syste' &GM is a big 'over in this 'idd eware Security in these situations is e0tre'e y tric/y

/etween tiers o Web A##lications $ront end is F1ML3XF1ML Gac/end o% S9L is re- aced by SOAP( XPath( or X9uery

XML enab ed databases consu'e these strea's Ma/es X &n6ection@ very interesting


10/47


11/47


+ode /reaks .ree2

At one -oint( nobody worried about -roviding rich %unctiona ity tothe -ub ic &nternet

Peo- e decided this was a bad idea and -ut u- %irewa s On y F11P( F11PS( SM1P a owed %ro' the outside8

Web Services tunne that %unctiona ity through -orts o%tendee'ed sa%e@

Kich %unctiona ity once again hits the -ub ic &nternet Let.s -ro-ose a new s ogan

Web Services

We poke holes in your firewall so you don t have to!


12/472OWASP AppSec DC /..'

3ew Attacks on Web Services Technologies

Web Services have been designed to be ever thing agnostic Qariety o% techno ogies 'ay be encountered at any ayer 1his ta / %ocuses on those co''on y encountered

We will discuss securit issues at three la ers' XML SOAP Discovery


13/47#OWASP AppSec DC /..'

4$5 Introduction

What is 4$5? A standard %or re-resenting diverse sets o% data

6e#resenting data is hard work! Ginary Data &nternationa i7ation

Ke-resenting 'etacharacters in data De%ining and Qa idating sche'as Parsing 'echanis's

6esult o large #roblem s#ace

Do7ens o% standards in the XML %a'i y@ XSL1( XSD( XPath( X9uery( D1D( XML


14/475OWASP AppSec DC /..'

4$5 Introduction

/ased on a ew basic but strict rules' Dec arations 1ags 'ust o-en and c ose 1ags 'ust be -ro-er y nested )ase sensitive Must have a root node

Wh do we care about the rules? Attac/ing web services genera y 'eans creating va id XML &% your XML doesn.t -arse right( it gets dro--ed ear y on $u77ing XML structure 'ight be %un( but you.re on y hitting the -arser

Sim#le e"am#le o an element' &car'

&manu(acturer'Toyota&)manu(acturer' &name'Corolla&)name'

&year'*++,&)year' &color'blue&)color' &description'- cellent condition/ ,++0 miles&)description'

&)car'


15/47:OWASP AppSec DC /..'

4$5 Introduction

.ull 5egal 4$5 Document w7 Schema 6e erence and 3ames#ace'

&1 ml version2#,.+# encoding2#3S4566785,#1'

&car mlns2#http:))999.isecpartners.com# mlns: si2#http:))999.9 .org)*++,) M


16/47=OWASP AppSec DC /..'

4$5 Introduction 8 Schemas

4$5 Documents are de ined b ' D1D O d Standard XSD )urrent Standard 1ld Attack Ke%erence e0terna D1D < a ows trac/ing o% docu'ent( -arsing based DoS

attac/s

4SDs can be standard or custom Standard bodies use the' to de%ine %i e %or'ats

Most WS a-- ications use custo' XSD "ot easy i% you desire strict va idation

4$5 Schemas are used to' De%ine the re ationshi-( order( and nu'ber o% e e'ents

+0 )o or is an e e'ent o% car( the is on y one

De%ine the data ty-e and -er'issib e data +04 )o or is a string( and can contain RA< TRa


17/47


4$5 Introduction 8 Schemas


18/47HOWASP AppSec DC /..'

4$5 Introduction 8 %arsing

There are two standard t #es o 4$5 #arsers used across #lat orms

SA4 State


19/47JOWASP AppSec DC /..'

4$5 In9ection

:merging attack class' 4$5 In9ection Occurs when user in-ut -assed to XML strea' XML -arsed by second


20/47

2N


4%ath In9ection

4%ath is a ;sim#le< language to locate in ormation in an 4$5document )ross between directory browsing and Keg+0 XPath 24N is the basis %or X9uery anguage( XML successor to S9L

1ur car e"am#le' &car'

&manu(acturer'Toyota&)manu(acturer'

&name'Corolla&)name' &year'*++,&)year' &color'blue&)color' &description'- cellent condition/ ,++0 miles&)description'

&)car'

4%ath :"am#les ' car @ returns a chi dren o% car node 3car @ returns the root car e e'ent 33car @ returns a car e e'ents in the docu'ent car33co or @ returns a co ors under car e e'ent 33car3Rco orUVb ue.T @ returns a cars that have a co or chi d e>ua to b ue


21/47


4%ath In9ection

4%ath is o ten used to access a ;4$5 :nabled< Database

S9L Server 2NNN Orac e *HiE, Access 2NN2E &GM &n%or'i0 Ger/e ey DG XML < "ative XML Database@

What is the #roblem? Li/e S9L( XPath uses de i'iters to se-arate code and data

Our o d %riend( sing e >uote V

;n i/e S9L 1here is no access contro inherent in XML or XPath

Pre-ared state'ents@ are rare y used( not guaranteed sa%e &% an attac/er can contro data in an XPath state'ent( they can access

arbitrary -arts o% the XML %i e( or return arbitrary data


22/47

22


4%ath In9ection An e"am#le use o 4%ath 8 5ooking u# =sername7%assword in 4$5

## ser n me=@ Aoe B nd ss=@ le!mein BC or userid @ or >( >

## ser n me=@ AoeB or serid=1 or @B=@ B ndss=@ le!mein BC# serid

Keturn a o% the users with useridU @

With Sim#le 4%ath In9ection' > or @ @ or >( >

## ser n me=@ AoeB or 1=1 or @B=@ B nd ss=@ le!mein BC

Keturn a o% the users@


23/47

2#


4%ath In9ection

5ike SQ5 In9ection, re uires some knowledge o uer Much easier with error 'essages A'it ein o% Sanctu' wrote an e0ce ent -a-er G ind XPath &n6ection@

) ai's to have too to e0tract XML bit


24/47

25


1ur .riend' +DATA .ield

4$5 has a s#eci ic techni ue to include non legal characters in data,

the +DATA ield Deve o-ers assu'e that certain data ty-es cannot be e'bedded in XML( and theseassu'-tions can ead to vu nerabi ities

When >uerying a standard co''ercia XML -arser( the )DA1A co'-onent wi bestri--ed

1he resu ting string contains the non


25/47

2:


S1A% Introduction

S1A% is a standard which de ines how to use 4$5 toe"change data between #rograms Designed to ca-ture KP)uired

MSM9( SM1P( )arrier Pigeon

The ;magic< o Web Services begins Progra''ing in%rastructure turns J< ine code sa'- e into %u


26/47

2=


S1A% WSD5s

S1A% Inter aces are described using Web Services Descri#tion

5anguage )WSD5- WSDLs can be >uite co'- icated enera y not created or consu'ed by hu'an being

Auto


27/47


S1A% WSD5s

What do WSD5s de ine? t #es Data ty-es that wi be used by a web service

We wi use XML Sche'a standard strings and integers@

message A one way 'essage( 'ade u- o% 'u ti- e data e e'ents4 Message Guy)ar inc udes string Manu%acturer and string Mode @

#ortT #e' A set o% 'essages that de%ine a conversation Purchase ) ient sends 'essage Guy)ar and receives 'essage Kecei-t@

binding' Detai s on how this web service is i'- e'ented with SOAP We wi be using KP) doc ty-es using these na'es-aces@

service 1he ocation where this service can be %ound ou can use -urchase at htt- 33-reY-Nwn#dYcars4co'3webservice4as-0@


28/47

2H


:"am#le WSD5' :/a %rice Watching

< message n me="ge!; rren! rice e/ es!"> < r! n me=" c!ionHid" ! e = "xsd:s!ring"#> < r! n me="re! rn" ! e = "xsd: lo !"#>

< portType n me="eF G !cher or! e">

< binding n me="eF G !cherFinding"! e="!ns:eF G !cher or! e">


29/47

2J


S1A% WSD5 :"#osure

Attack' WS"#s $ive away all of the sensitive infor%ation needed to

attack a web application 1his inc udes hidden@ or debug 'ethods that deve o-ers 'ight not want e0-osed 1hese 'ethod have a ways e0isted

Kea danger with a-- ications -orted@ to web services %ro' nor'a web inter%ace

+om#anies have alwa s had ;cru t< s stems that are #rotected bobscurit ou /now about that NNAM $1P batch 6ob your co'-any does unencry-ted over the

&nternet4 Do you want everybody in this roo' to /now about it? +0tranets( custo'er -orta s( one


30/47

#N


S1A% Attacks

S1A% Eeaders

Provide instructions on how a 'essage shou d be hand ed O%ten not necessary in basic a-- ications Sti -arsed3obeyed by WS %ra'ewor/s So 'any standards( so 'any attac/ sur%aces

Feader a ows arbitrari y co'- e0 XML to su--ort %uture standards Attack XML )o'- e0ity DoS in SOAP Feader

"ot chec/ed against XSD

Attack' Source routing used to by-ass security chec/s Kouting wi beco'e 'ore co''on as co'-anies -rovide uni%ied WS inter%aces to

'u ti- e 'achines Possib y -rovided by XML $irewa @ devices

S1A%Action Eeader So'eti'es needed( so'eti'es %i tered to atte'-t to re'ove soa- re>uests4

O%ten not re>uired at a 4 )on%igurab e in 4"+1 with KoutingSty e attributes

Attack Gy-ass -rotections that re y on SOAPAction


31/47


S1A% Attacks

Session management SOAP( i/e F11P( is state ess! Deve o-ers need to -rogra' their own state 'echanis'4 O-tions inc ude

&n< ine Session&D( de%ined )oo/ie in header

SOAP is trans-ort inde-endent( so a 'essage shou d be ab e to be -assedwithout session in%or'ation %ro' the trans-ort( such as a F11P coo/ie

O%ten used( but it.s a hac/ Attack )oo/ies 'ight be stri--ed at the web server( or not -ro-er y routed to the

-art o% the a-- where decisions are being 'ade4 Watch out!

"ew WS


32/47

#2


:"am#le S1A% $essage

S#ot the attack!

< ser* me xsi:! e="xsd:s!ring">K

< ss$ord xsi:! e="xsd:s!ring">de l!


33/47

##


S1A% .ault

:"am#le .ault rom 4%ath In9ection

< l!code>so :Server

< l!s!ring>Server $ s n 2le !o rocess re/ es!. --Lg!MK#4sers#4ser !!ri2 !e::)ogin=KKK nd

!!ri2 !e:: ss$ord=Kde l!KC#NK h s n inv lid

!o en.


34/47

#5


Web Services DoS

We have created several 4$5 com#le"it DoS attacks

Si'- e P+KL re- ays o% SOAP re>uests Ab e to rando'i7e session in%or'ation Most attac/ A-- ication Server 3 XML Parser( not a-- ication ogic itse %

5ike all DoS, looking or multi#lier advantage +%= Time

+0tre'e y dee- structures re>uire )P; ti'e to -arse and search Ke%erences to e0terna docu'ents

)ause networ/ ti'eout during -arsing( 'ay b oc/ -rocess )reating a correct DOM %or co'- e0 XML is not trivia

$emor S#ace Dee- and broad structures Large a'ounts o% data in %re>uent y used %ie ds wi be co-ied severa ti'es be%ore being de eted Me'ory e0haustion is a 'ost i'-ossib e against -roduction syste's( but creating garbage

co ection 3 QM overhead 'ight s ow the syste' Database +onnections

A-- ications o%ten use %i0ed DG connection -oo s Des-ite ow )P;3'e' oad( %i ing the DG re>uest >ueue can wait state an a-- ication to death "eed to %ind a good SOAP re>uest that does not re>uire auth( but resu ts in a heavy DG >uery

Per%ect e0a'- e &nitia ;ser Authentication A -roduction site 'ight have N


35/47

#:


Web Services DoS

In an WS DoS case, there are im#ortant details to make the

attack e ective Lega ity o% SOAP re>uest

Matches D1D3XSD Synta04 1his 'ight not -rec ude e'bedding co'- e0 structures! Matches rea SOAP Method

Anything that burrows@ dee-er into the a-- ication stac/ causes 'ore oad +s-ecia y i'-ortant when attac/ing databases

Might need a va id session &D Authenticate once with a rea SOAP stac/( then co-y the Session&D3coo/ie

into the static attac/

S-eed We use 'u ti- e -rocesses Ma/ing a re>uest is re ative y heavy co'-ared to other DoS

Ke>uires a rea 1)P connection Don.t use a SOAP %ra'ewor/4 Most o% the 'u ti- ier is ost "eed to isten %or res-onse %or so'e attac/s

We o%ten run into i'itations o% the under ying Per %ra'ewor/ Attac/ scri-ts run better on Linu0 Per than ActiveState on Windows


36/47

#=


Web Service DoS' The A termath

We are currentl researching some more #ossibilities Attac/s against XPath e>uiva ent to recent Keg+0 DoS ;sing F11P 4 -i-e ining to s-eed attac/ SOAP e>uiva ents o% teardro-@ attac/s against state 'u ti- e %rag'ented

re>uests

De ense isn(t eas

A-- ication server vendors need to add DoS into negative 9A testing 1here doesn.t see' to be 'uch custo'er de'and yet DoS yourse % be%ore so'ebody e se does it %or %ree

"eed to chec/ co'- e0ity be%ore -arsing Secure SOAP hand er &SAP& %i ter

XML $irewa @ ;se strict XML Sche'a veri%ication Watch out %or < n > e e'ent

Don.t %orget the noo/s and crannies@ attac/ers can shove code into SOAP Feaders!


37/47


Web Service Discover $ethods

=DDI

Kegistries that ist web services across 'u ti- e servers Auto


38/47

#H


=/6 :"am#le


39/47

#J


Web Service Discover

Service 1riented Architectures Another Q) 'agnet bu77word Means de ayed binding o% a-- ications

Wor d o% syste's %inding and ta /ing to other syste's autono'ous y Wi a ways re>uire o-en registries o% web service in%or'ation Wi eventua y need -ro-er P & in%rastructure

1ther Frd %art 6egistries htt- 33www40'ethods4net3 has an e0ce ent ist o% %un services

DIS+1 7 WS Ins#ection Lightweight versions o% ;DD& Provides in%or'ation about a sing e server.s web services D&S)O %i es are auto'agica y generated by Qisua Studio 4"et

htt- 33wsde'o4isec-artners4co'3WSDe'o3de%au t4vsdisco
http://www.xmethods.net/http://www.xmethods.net/


40/47

5N


Traditional A##lication Attacks

:ver )most- a##lications accom#lish something use ul

1here is a ways so'ething to attac/

A##lication s#eci ic laws don(t magicall go awa Design $ aws

Gusiness Logic +rrors Gad &dea@ Methods

The same issues )1WAS% To# @C- that have #lagued us orears still e"ist


41/47



SQ5 In9ection

Most web service a-- ications are sti bac/ed by databases SOAP3XML -rovide 'eans to esca-e3ob%uscate 'a icious characters

1ver lows in unmanaged code Severa %ra'ewor/s e0ist to wra- o d code in web services

B3et 6emoting Win#2 )OM Ob6ects e0-osed through SOAP

Gac/end -rocessing syste's are o%ten sti egacy $istakes in authoriGation7authentication

Worsened by state ess nature o% SOAP and ac/ o% industry standard%or state 'anage'ent

Auto


42/47

52



4SS

Kich data re-resentation a ows charset ga'es with browsers 1echno ogies such as ABAX a ow new -ossibi ities in XSS attac/s

)reating a we %or'ed SOAP re>uest can be di%%icu t %ro' scri-t "eeds research XSS code that inter%aces with e0isting XMLF11P ob6ect to

-er%or' actions in the ABAX a-- ication

Attac/s against other inter%aces *such as interna custo'er su--ort,'ore i/e y

;se web service to insert 'a icious scri-t( ca


43/47

5#


1ur Attack Tools

WS/ang

1a/es ;KL o% WSDL as in-ut )an be %ound using WSMa- $u77es a 'ethods and -ara'eters in the service

&denti%ies a 'ethods and -ara'eters( inc uding co'- e0 -ara'eters $u77es -ara'eters based on ty-e s-eci%ied in WSDL

De%au t va ues can be s-eci%ied as we

Ke-orts SOAP res-onses and %au ts

$uture wor/ Su--ort docu'ent


44/47

55


Attack Tree' T ing it all Together

"avigate to ;GK( as/ %or a site

Attach to ;DD& server( as/ %or ist o% services As/ service %or its WSDL +0a'ine WSDL( %ind dangerous 'ethods ;se WSGang to test 'ethods( %ind XML &n6ection

;se XML &n6ection to change your userYid Pro%it!


45/47

5:


1WAS% To# @C 8 Still 6elevant?

@B =nvalidated In#ut

0B /roken Access +ontrolFB /roken Authentication and Session $anagementHB +ross Site Scri#ting )4SS- .laws

B /u er 1ver lows

JB In9ection .lawsKB Im#ro#er :rror EandlingLB Insecure StorageMB Denial o Service@CBInsecure +on iguration $anagement

The answer to all o these is :S B


46/47

5=


+onclusion

Web Services are #ower ul, eas to use, and o#enB

A A they are e0traordinari y dangerous Many crusty cor-orate secrets wi now be e0-osed

5ots o securit work still re uired Ana ysis o% ra-id y deve o-ing Web Services standards

WS


47/47

Web Services Securit

Demo!

Ale" Stamosale"Nisec#artnersBcom
mailto:[email protected]:[email protected]