AppSec 2007 - .NET Web Services Hacking

Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

OWASP & WASC

AppSec 2007

ConferenceSan Jose – Nov

2007

http://www.owasp.org/http://www.webappsec.org/

.NET Web Services Hacking – Scan, Attacks and Defense

Shreeraj ShahFounder & Director, [email protected]+987-902-7018

OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007

Who am I?

Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief)

Past experience Net Square, Chase, IBM & Foundstone

Interest Web security research

Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan,

wsChess etc. Advisories - .Net, Java servers etc.

Books (Author) Hacking Web Services (Thomson 2006) Web Hacking (AWL 2003) Web 2.0 Security (Work in progress)

http://[email protected]

Tools – http://www.blueinfy.com/tools.html


Agenda

Web Services in an era of Web 2.0 .NET Web Services Assessment

MethodologyFootprinting and DiscoveryEnumeration, Profiling and FingerprintingAttack VectorsScanning and Fuzzing

.NET Web Services Defense MethodologyCode Scanning & Secure Coding Web Services Firewall (Content Filtering)

Conclusion


Web Services on the rise with Web 2.0

80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey)

By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner)

2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)


Web Services and Web 2.0

HTML / JS / DOM

RIA (Flash)

Ajax

Browser

Internet

Blog

Local Application

Database Authentication

Internet

Weather

News

Documents

Emails

Bank/Trade

RSS feeds

Web Services


Widget DOM

HTML/CSS JavaScript

SOAP

XML-RPCJSON

XML

Open APIs

SaaS

ServicesREST

Browser Protocols

Consuming Web Services

Ajax Flash / RIAJSON-RPC

Structures Server-Side

HTTP(S)


Methodology

Footprinting & Discovery

Enumeration & Profiling

Vulnerability Detection

Code / Config Scanning

Web Services Firewall

Secure Coding

Insecure Web Services

Secure Web Services

Blackbox Whitebox

Defense&Countermeasure


Footprinting and Discovery

Objective: Discovering Web Services running on application domain.

MethodsPrimary discovery

Crawling and spidering Script analysis and page scrubbing Traffic analysis

Secondary discovery Search engine queries UDDI scanning


Primary Discovery

Crawling the application and mapping file extensions and directory structures, like “.asmx”

Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services.

Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.


Primary Discovery - Demos

Page scanning with grep – Look in JavaScripts for URLs, Paths etc.

Crawling – Simple! Scanning for Atlas references – Framework

creates stubs and proxy. – scanweb2.0/scanatlas

Urlgrep can be used as well.

Demo


Secondary Discovery

Searching UDDI server for Web Services running on particular domain.Three tactics for it – business, services or

tModel.

Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype”Look for “asmx”

wsScanner – Discovery!Demo


Enumerating and Profiling

Fingerprinting .Net framework and Client side technologies – Dojo or Atlas …

Scanning WSDL Looking for MethodsCollecting In/Out parametersSecurity implementationsBinding pointsMethod signature mapping

Demo


In transit Sniffing or Spoofing WS-Routing security concern Replay attacks

Risk - In transit


Risk - Web services Engine

Buffer overflow XML parsing attacks Spoiling Schema Complex or Recursive structure as payload Denial of services Large payload


Web services Deployment - Risk

Fault code leaks Permissions & Access issues Poor policies Customized error leakage Authentication and Certification


Web services User code - Risk

Parameter tampering WSDL probing SQL/LDAP/XPATH/OS command injection Virus/Spyware/Malware injection Bruteforce Data type mismatch Content spoofing Session tampering Format string Information leakage Authorization


Scanning strategies

Manual invocation and response analysis. Dynamic proxy creation and scanning. Auto auditing for various vectors. Fuzzing Web Services streams – XML or

JSON Response analysis is the key

Look for fault code nodes Enumerating fault strings Dissecting XML message and finding bits Hidden error messages in JSON

Demo


A1 - Cross Site Scripting (XSS)

XSS is possible through Web Services. It would be DOM based XSS via eval(). JSON-RPC based stream coming in the

browser and get injected into DOM. Source of stream can be of third party and

Un-trusted. XML streams coming in the browser and

can cause XSS via document.write call.

Demo


A2 - Injection Flaws

Web Services methods are consuming parameters coming from end users.

It is possible to inject malicious characters into the stream.

It can break Web Services code and send faultsting back to an attacker

Various injections possible – SQL and XPATH

Demo


A3 - Malicious File Execution

Malicious command can be injected through the parameter.

WS supports attachments as well and that can lead to uploading a file.

This can give remote command execution capability to the attacker.

Demo


A4 - Insecure Direct Object Reference

Injecting characters to break file system sequences.

Faultcode spits out internal information if not protected.

Customized error shows the file refernces. Access to internal file and full traversal to

directories Inspecting methods and parameters in the

profile stage can help.

Demo


A5 - Cross Site Request Forgery (CSRF)

CSRF with XML streams XML-RPC or SOAP based request can be

generated from browsers. Splitting form and XML injection is possible

– interesting trick. If Content-Type is not validated on the

server then it can cause a potential CSRF. XForms usage in browser can produce XML

requests to attack CSRF.

Demo


A6 - Information Leakage and Improper Error Handling

SOAP based Web Services throws faultcode and faultstrings back to the client.

Information can be embedded in it. It try/catch is not well implemented then

default error from .NET framework. Published vulnerabilities with leakage

information providing references to file, ldap, etc.

Demo


A7 - Broken Authentication and Session Management

Web Services are having session management binding.

It is possible to have methods supporting session in .NET

Session identifier disclosure can lead to hijacking of Web Services

SOAP message can be bruteforce as well – poor passwords and multiple trial

WS-Security can be used around it


A8/A9 - Insecure Cryptographic and Communication

Implementation of WSE security Web Services traffic not going over SSL XML-Security or nodes encryption – if

cracked or decrypt Sessions are established on the tokens, goes

over wire in clear text Analysis needs to be done in the case of

mashup and API calls. Several applications and widgets are making

backend API calls in clear text (user/pass)


A10 - Failure to Restrict URL Access

In Web Services instead of URL – methods. WSDL scanning and disclosures can

weaken the Services. Some internal methods are out in public. Admin APIs can be accessed. These internal methods can be used to

attack Web Services.


Code Analysis for Web Services

Scanning the code base. Identifying linkages. Method signatures and inputs. Looking for various patterns for SQL, LDAP,

XPATH, File access etc. Checking validation on them. Code walking and tracing the base - Key

Demo


Regular firewall will not work Content filtering on HTTP will not work

either since it is SOAP over HTTP/HTTPS SOAP level filtering and monitoring would

require ISAPI level filtering is essential SOAP content filtering through

IHTTPModule

Code filtering with IHTTPModule


IISWeb Server

HTTPStack

.NetWeb

Services

IIS Web Server

web2wall

WebServices

Client

SOAP Envelope

Reject

Rules for SOAP



.NetWeb

Services

.asmxfile

IIS web server

web2wall

WebServices

Client

SOAP Input Envelope<soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:getInput xmlns:q1="http://DefaultNamespace">

<id xsi:type="xsd:string">12123</id></q1:getInput></soap:Body>

DB

<id xsi:type="xsd:string">12123</id>

id=12123

Bal=$2500<ns1:getInputReturn xsi:type="xsd:string">$2500</ns1:getInputReturn>

SOAP Output Envelope



HTTP Stack for IIS

Request

IIS

aspnet_isapi.dll

HttpApplication

HttpHandler

HttpModule

HttpModule

HttpModule

Response

Web Application Resource

Web Application Client

146


HTTP Stack

HttpRuntime

HttpApplicationFactory

HttpApplication

HttpHandlerFactory

HttpContext

IHttpModule

Handler

HttpRequestHttpResponse

IHttpHandler

147


HTTP Stack for .Net

HttpRuntime

HttpApplicationFactory

HttpApplication

HttpHandlerFactory

IHttpModule

Handler

Web Application Firewall & IDS

148


IHTTPModule for Web Services Firewall

Code walkthrough – Events and Hooks Loading the DLL Setting up the rules Up and running! Demo.

Demo


Conclusion

Web Services can be vulnerable to various attack vectors.

Footprinting and Discovery are start points.

Scanning and Auditing can help in finding holes.

Fuzzing is also important aspect. Top 10 – OWASP, for Web Services Scanning the code is equally important. Web Services Firewall – Armoring the app.

Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

OWASP & WASC

AppSec 2007

ConferenceSan Jose – Nov

2007

http://www.owasp.org/http://www.webappsec.org/

.NET Web Services Hacking – Scan, Attacks and Defense

Thanks!

Technology

AppSec 2007 - .NET Web Services Hacking