Upload
shreeraj-shah
View
9.225
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
OWASP & WASC
AppSec 2007
ConferenceSan Jose – Nov
2007
http://www.owasp.org/http://www.webappsec.org/
.NET Web Services Hacking – Scan, Attacks and Defense
Shreeraj ShahFounder & Director, [email protected]+987-902-7018
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Who am I?
Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief)
Past experience Net Square, Chase, IBM & Foundstone
Interest Web security research
Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan,
wsChess etc. Advisories - .Net, Java servers etc.
Books (Author) Hacking Web Services (Thomson 2006) Web Hacking (AWL 2003) Web 2.0 Security (Work in progress)
http://[email protected]
Tools – http://www.blueinfy.com/tools.html
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Agenda
Web Services in an era of Web 2.0 .NET Web Services Assessment
MethodologyFootprinting and DiscoveryEnumeration, Profiling and FingerprintingAttack VectorsScanning and Fuzzing
.NET Web Services Defense MethodologyCode Scanning & Secure Coding Web Services Firewall (Content Filtering)
Conclusion
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Web Services on the rise with Web 2.0
80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey)
By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner)
2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Web Services and Web 2.0
HTML / JS / DOM
RIA (Flash)
Ajax
Browser
Internet
Blog
Local Application
Database Authentication
Internet
Weather
News
Documents
Emails
Bank/Trade
RSS feeds
Web Services
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Widget DOM
HTML/CSS JavaScript
SOAP
XML-RPCJSON
XML
Open APIs
SaaS
ServicesREST
Browser Protocols
Consuming Web Services
Ajax Flash / RIAJSON-RPC
Structures Server-Side
HTTP(S)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Methodology
Footprinting & Discovery
Enumeration & Profiling
Vulnerability Detection
Code / Config Scanning
Web Services Firewall
Secure Coding
Insecure Web Services
Secure Web Services
Blackbox Whitebox
Defense&Countermeasure
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Footprinting and Discovery
Objective: Discovering Web Services running on application domain.
MethodsPrimary discovery
Crawling and spidering Script analysis and page scrubbing Traffic analysis
Secondary discovery Search engine queries UDDI scanning
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Primary Discovery
Crawling the application and mapping file extensions and directory structures, like “.asmx”
Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services.
Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Primary Discovery - Demos
Page scanning with grep – Look in JavaScripts for URLs, Paths etc.
Crawling – Simple! Scanning for Atlas references – Framework
creates stubs and proxy. – scanweb2.0/scanatlas
Urlgrep can be used as well.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Secondary Discovery
Searching UDDI server for Web Services running on particular domain.Three tactics for it – business, services or
tModel.
Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype”Look for “asmx”
wsScanner – Discovery!Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Enumerating and Profiling
Fingerprinting .Net framework and Client side technologies – Dojo or Atlas …
Scanning WSDL Looking for MethodsCollecting In/Out parametersSecurity implementationsBinding pointsMethod signature mapping
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
In transit Sniffing or Spoofing WS-Routing security concern Replay attacks
Risk - In transit
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Risk - Web services Engine
Buffer overflow XML parsing attacks Spoiling Schema Complex or Recursive structure as payload Denial of services Large payload
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Web services Deployment - Risk
Fault code leaks Permissions & Access issues Poor policies Customized error leakage Authentication and Certification
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Web services User code - Risk
Parameter tampering WSDL probing SQL/LDAP/XPATH/OS command injection Virus/Spyware/Malware injection Bruteforce Data type mismatch Content spoofing Session tampering Format string Information leakage Authorization
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Scanning strategies
Manual invocation and response analysis. Dynamic proxy creation and scanning. Auto auditing for various vectors. Fuzzing Web Services streams – XML or
JSON Response analysis is the key
Look for fault code nodes Enumerating fault strings Dissecting XML message and finding bits Hidden error messages in JSON
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A1 - Cross Site Scripting (XSS)
XSS is possible through Web Services. It would be DOM based XSS via eval(). JSON-RPC based stream coming in the
browser and get injected into DOM. Source of stream can be of third party and
Un-trusted. XML streams coming in the browser and
can cause XSS via document.write call.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A2 - Injection Flaws
Web Services methods are consuming parameters coming from end users.
It is possible to inject malicious characters into the stream.
It can break Web Services code and send faultsting back to an attacker
Various injections possible – SQL and XPATH
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A3 - Malicious File Execution
Malicious command can be injected through the parameter.
WS supports attachments as well and that can lead to uploading a file.
This can give remote command execution capability to the attacker.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A4 - Insecure Direct Object Reference
Injecting characters to break file system sequences.
Faultcode spits out internal information if not protected.
Customized error shows the file refernces. Access to internal file and full traversal to
directories Inspecting methods and parameters in the
profile stage can help.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A5 - Cross Site Request Forgery (CSRF)
CSRF with XML streams XML-RPC or SOAP based request can be
generated from browsers. Splitting form and XML injection is possible
– interesting trick. If Content-Type is not validated on the
server then it can cause a potential CSRF. XForms usage in browser can produce XML
requests to attack CSRF.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A6 - Information Leakage and Improper Error Handling
SOAP based Web Services throws faultcode and faultstrings back to the client.
Information can be embedded in it. It try/catch is not well implemented then
default error from .NET framework. Published vulnerabilities with leakage
information providing references to file, ldap, etc.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A7 - Broken Authentication and Session Management
Web Services are having session management binding.
It is possible to have methods supporting session in .NET
Session identifier disclosure can lead to hijacking of Web Services
SOAP message can be bruteforce as well – poor passwords and multiple trial
WS-Security can be used around it
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A8/A9 - Insecure Cryptographic and Communication
Implementation of WSE security Web Services traffic not going over SSL XML-Security or nodes encryption – if
cracked or decrypt Sessions are established on the tokens, goes
over wire in clear text Analysis needs to be done in the case of
mashup and API calls. Several applications and widgets are making
backend API calls in clear text (user/pass)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
A10 - Failure to Restrict URL Access
In Web Services instead of URL – methods. WSDL scanning and disclosures can
weaken the Services. Some internal methods are out in public. Admin APIs can be accessed. These internal methods can be used to
attack Web Services.
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Code Analysis for Web Services
Scanning the code base. Identifying linkages. Method signatures and inputs. Looking for various patterns for SQL, LDAP,
XPATH, File access etc. Checking validation on them. Code walking and tracing the base - Key
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Regular firewall will not work Content filtering on HTTP will not work
either since it is SOAP over HTTP/HTTPS SOAP level filtering and monitoring would
require ISAPI level filtering is essential SOAP content filtering through
IHTTPModule
Code filtering with IHTTPModule
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
IISWeb Server
HTTPStack
.NetWeb
Services
IIS Web Server
web2wall
WebServices
Client
SOAP Envelope
Reject
Rules for SOAP
Code filtering with IHTTPModule
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
.NetWeb
Services
.asmxfile
IIS web server
web2wall
WebServices
Client
SOAP Input Envelope<soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:getInput xmlns:q1="http://DefaultNamespace">
<id xsi:type="xsd:string">12123</id></q1:getInput></soap:Body>
DB
<id xsi:type="xsd:string">12123</id>
id=12123
Bal=$2500<ns1:getInputReturn xsi:type="xsd:string">$2500</ns1:getInputReturn>
SOAP Output Envelope
Code filtering with IHTTPModule
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
HTTP Stack for IIS
Request
IIS
aspnet_isapi.dll
HttpApplication
HttpHandler
HttpModule
HttpModule
HttpModule
Response
Web Application Resource
Web Application Client
146
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
HTTP Stack
HttpRuntime
HttpApplicationFactory
HttpApplication
HttpHandlerFactory
HttpContext
IHttpModule
Handler
HttpRequestHttpResponse
IHttpHandler
147
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
HTTP Stack for .Net
HttpRuntime
HttpApplicationFactory
HttpApplication
HttpHandlerFactory
IHttpModule
Handler
Web Application Firewall & IDS
148
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
IHTTPModule for Web Services Firewall
Code walkthrough – Events and Hooks Loading the DLL Setting up the rules Up and running! Demo.
Demo
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Conclusion
Web Services can be vulnerable to various attack vectors.
Footprinting and Discovery are start points.
Scanning and Auditing can help in finding holes.
Fuzzing is also important aspect. Top 10 – OWASP, for Web Services Scanning the code is equally important. Web Services Firewall – Armoring the app.
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
OWASP & WASC
AppSec 2007
ConferenceSan Jose – Nov
2007
http://www.owasp.org/http://www.webappsec.org/
.NET Web Services Hacking – Scan, Attacks and Defense
Thanks!