Published on November 21, 2007
Author: shreeraj
Source: slideshare.net
.NET Web Services Hacking – Scan, Attacks and Defense Shreeraj Shah Founder & Director, Blueinfy [email_address] 91+987-902-7018
Who am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, wsChess etc. Advisories - .Net, Java servers etc. Books (Author) Hacking Web Services (Thomson 2006) Web Hacking (AWL 2003) Web 2.0 Security (Work in progress) http://shreeraj.blogspot.com [email_address] Tools – http://www.blueinfy.com/tools.html
Founder & Director
Blueinfy Solutions Pvt. Ltd. (Brief)
Past experience
Net Square, Chase, IBM & Foundstone
Interest
Web security research
Published research
Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, wsChess etc.
Advisories - .Net, Java servers etc.
Books (Author)
Hacking Web Services (Thomson 2006)
Web Hacking (AWL 2003)
Web 2.0 Security (Work in progress)
Agenda Web Services in an era of Web 2.0 .NET Web Services Assessment Methodology Footprinting and Discovery Enumeration, Profiling and Fingerprinting Attack Vectors Scanning and Fuzzing .NET Web Services Defense Methodology Code Scanning & Secure Coding Web Services Firewall (Content Filtering) Conclusion
Web Services in an era of Web 2.0
.NET Web Services Assessment Methodology
Footprinting and Discovery
Enumeration, Profiling and Fingerprinting
Attack Vectors
Scanning and Fuzzing
.NET Web Services Defense Methodology
Code Scanning & Secure Coding
Web Services Firewall (Content Filtering)
Conclusion
Web Services on the rise with Web 2.0 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey) By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner) 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)
80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey2007 Global Survey)
By the end of 2007, 30 percent of large companies will have some kind of Web 2.0-based business initiative up and running. (Gartner)
2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. (Gartner)
Web Services and Web 2.0 HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Local Application Database Authentication Internet Weather News Documents Emails Bank/Trade RSS feeds Web Services
Widget DOM HTML/CSS JavaScript SOAP XML-RPC JSON XML Open APIs SaaS Services REST Browser Protocols Consuming Web Services Ajax Flash / RIA JSON-RPC Structures Server-Side HTTP(S)
Methodology Footprinting & Discovery Enumeration & Profiling Vulnerability Detection Code / Config Scanning Web Services Firewall Secure Coding Insecure Web Services Secure Web Services Blackbox Whitebox Defense & Countermeasure
Footprinting and Discovery Objective: Discovering Web Services running on application domain. Methods Primary discovery Crawling and spidering Script analysis and page scrubbing Traffic analysis Secondary discovery Search engine queries UDDI scanning
Objective: Discovering Web Services running on application domain.
Methods
Primary discovery
Crawling and spidering
Script analysis and page scrubbing
Traffic analysis
Secondary discovery
Search engine queries
UDDI scanning
Primary Discovery Crawling the application and mapping file extensions and directory structures, like “.asmx” Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services. Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.
Crawling the application and mapping file extensions and directory structures, like “.asmx”
Page scrubbing – scanning for paths and resources in the pages, like atlas back end call to Web Services.
Recording traffic while browsing and spidering, look for XML based traffic – leads to XML-RPC, REST, SOAP, JSON calls.
Primary Discovery - Demos Page scanning with grep – Look in JavaScripts for URLs, Paths etc. Crawling – Simple! Scanning for Atlas references – Framework creates stubs and proxy. – scanweb2.0/scanatlas Urlgrep can be used as well. Demo
Page scanning with grep – Look in JavaScripts for URLs, Paths etc.
Crawling – Simple!
Scanning for Atlas references – Framework creates stubs and proxy. – scanweb2.0/scanatlas
Urlgrep can be used as well.
Secondary Discovery Searching UDDI server for Web Services running on particular domain. Three tactics for it – business, services or tModel. Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype” Look for “asmx” wsScanner – Discovery! Demo
Searching UDDI server for Web Services running on particular domain.
Three tactics for it – business, services or tModel.
Running queries against search engines like Google or MSN with extra directives like “inurl” or “filetype”
Look for “asmx”
wsScanner – Discovery!
Enumerating and Profiling Fingerprinting .Net framework and Client side technologies – Dojo or Atlas … Scanning WSDL Looking for Methods Collecting In/Out parameters Security implementations Binding points Method signature mapping Demo
Fingerprinting .Net framework and Client side technologies – Dojo or Atlas …
Scanning WSDL
Looking for Methods
Collecting In/Out parameters
Security implementations
Binding points
Method signature mapping
Risk - In transit In transit Sniffing or Spoofing WS-Routing security concern Replay attacks
In transit Sniffing or Spoofing
WS-Routing security concern
Replay attacks
Risk - Web services Engine Buffer overflow XML parsing attacks Spoiling Schema Complex or Recursive structure as payload Denial of services Large payload
Buffer overflow
XML parsing attacks
Spoiling Schema
Complex or Recursive structure as payload
Denial of services
Large payload
Web services Deployment - Risk Fault code leaks Permissions & Access issues Poor policies Customized error leakage Authentication and Certification
Fault code leaks
Permissions & Access issues
Poor policies
Customized error leakage
Authentication and Certification
Web services User code - Risk Parameter tampering WSDL probing SQL/LDAP/XPATH/OS command injection Virus/Spyware/Malware injection Bruteforce Data type mismatch Content spoofing Session tampering Format string Information leakage Authorization
Parameter tampering
WSDL probing
SQL/LDAP/XPATH/OS command injection
Virus/Spyware/Malware injection
Bruteforce
Data type mismatch
Content spoofing
Session tampering
Format string
Information leakage
Authorization
Scanning strategies Manual invocation and response analysis. Dynamic proxy creation and scanning. Auto auditing for various vectors. Fuzzing Web Services streams – XML or JSON Response analysis is the key Look for fault code nodes Enumerating fault strings Dissecting XML message and finding bits Hidden error messages in JSON Demo
Manual invocation and response analysis.
Dynamic proxy creation and scanning.
Auto auditing for various vectors.
Fuzzing Web Services streams – XML or JSON
Response analysis is the key
Look for fault code nodes
Enumerating fault strings
Dissecting XML message and finding bits
Hidden error messages in JSON
A1 - Cross Site Scripting (XSS) XSS is possible through Web Services. It would be DOM based XSS via eval(). JSON-RPC based stream coming in the browser and get injected into DOM. Source of stream can be of third party and Un-trusted. XML streams coming in the browser and can cause XSS via document.write call. Demo
XSS is possible through Web Services.
It would be DOM based XSS via eval().
JSON-RPC based stream coming in the browser and get injected into DOM.
Source of stream can be of third party and Un-trusted.
XML streams coming in the browser and can cause XSS via document.write call.
A2 - Injection Flaws Web Services methods are consuming parameters coming from end users. It is possible to inject malicious characters into the stream. It can break Web Services code and send faultsting back to an attacker Various injections possible – SQL and XPATH Demo
Web Services methods are consuming parameters coming from end users.
It is possible to inject malicious characters into the stream.
It can break Web Services code and send faultsting back to an attacker
Various injections possible – SQL and XPATH
A3 - Malicious File Execution Malicious command can be injected through the parameter. WS supports attachments as well and that can lead to uploading a file. This can give remote command execution capability to the attacker. Demo
Malicious command can be injected through the parameter.
WS supports attachments as well and that can lead to uploading a file.
This can give remote command execution capability to the attacker.
A4 - Insecure Direct Object Reference Injecting characters to break file system sequences. Faultcode spits out internal information if not protected. Customized error shows the file refernces. Access to internal file and full traversal to directories Inspecting methods and parameters in the profile stage can help. Demo
Injecting characters to break file system sequences.
Faultcode spits out internal information if not protected.
Customized error shows the file refernces.
Access to internal file and full traversal to directories
Inspecting methods and parameters in the profile stage can help.
A5 - Cross Site Request Forgery (CSRF) CSRF with XML streams XML-RPC or SOAP based request can be generated from browsers. Splitting form and XML injection is possible – interesting trick. If Content-Type is not validated on the server then it can cause a potential CSRF. XForms usage in browser can produce XML requests to attack CSRF. Demo
CSRF with XML streams
XML-RPC or SOAP based request can be generated from browsers.
Splitting form and XML injection is possible – interesting trick.
If Content-Type is not validated on the server then it can cause a potential CSRF.
XForms usage in browser can produce XML requests to attack CSRF.
A6 - Information Leakage and Improper Error Handling SOAP based Web Services throws faultcode and faultstrings back to the client. Information can be embedded in it. It try/catch is not well implemented then default error from .NET framework. Published vulnerabilities with leakage information providing references to file, ldap, etc. Demo
SOAP based Web Services throws faultcode and faultstrings back to the client.
Information can be embedded in it.
It try/catch is not well implemented then default error from .NET framework.
Published vulnerabilities with leakage information providing references to file, ldap, etc.
A7 - Broken Authentication and Session Management Web Services are having session management binding. It is possible to have methods supporting session in .NET Session identifier disclosure can lead to hijacking of Web Services SOAP message can be bruteforce as well – poor passwords and multiple trial WS-Security can be used around it
Web Services are having session management binding.
It is possible to have methods supporting session in .NET
Session identifier disclosure can lead to hijacking of Web Services
SOAP message can be bruteforce as well – poor passwords and multiple trial
WS-Security can be used around it
A8/A9 - Insecure Cryptographic and Communication Implementation of WSE security Web Services traffic not going over SSL XML-Security or nodes encryption – if cracked or decrypt Sessions are established on the tokens, goes over wire in clear text Analysis needs to be done in the case of mashup and API calls. Several applications and widgets are making backend API calls in clear text (user/pass)
Implementation of WSE security
Web Services traffic not going over SSL
XML-Security or nodes encryption – if cracked or decrypt
Sessions are established on the tokens, goes over wire in clear text
Analysis needs to be done in the case of mashup and API calls.
Several applications and widgets are making backend API calls in clear text (user/pass)
A10 - Failure to Restrict URL Access In Web Services instead of URL – methods. WSDL scanning and disclosures can weaken the Services. Some internal methods are out in public. Admin APIs can be accessed. These internal methods can be used to attack Web Services.
In Web Services instead of URL – methods.
WSDL scanning and disclosures can weaken the Services.
Some internal methods are out in public.
Admin APIs can be accessed.
These internal methods can be used to attack Web Services.
Code Analysis for Web Services Scanning the code base. Identifying linkages. Method signatures and inputs. Looking for various patterns for SQL, LDAP, XPATH, File access etc. Checking validation on them. Code walking and tracing the base - Key Demo
Scanning the code base.
Identifying linkages.
Method signatures and inputs.
Looking for various patterns for SQL, LDAP, XPATH, File access etc.
Checking validation on them.
Code walking and tracing the base - Key
Regular firewall will not work Content filtering on HTTP will not work either since it is SOAP over HTTP/HTTPS SOAP level filtering and monitoring would require ISAPI level filtering is essential SOAP content filtering through IHTTPModule Code filtering with IHTTPModule
Regular firewall will not work
Content filtering on HTTP will not work either since it is SOAP over HTTP/HTTPS
SOAP level filtering and monitoring would require
ISAPI level filtering is essential
SOAP content filtering through IHTTPModule
IIS Web Server HTTP Stack .Net Web Services IIS Web Server web2wall Web Services Client SOAP Envelope Reject Rules for SOAP Code filtering with IHTTPModule
.Net Web Services .asmx file IIS web server web2wall Web Services Client SOAP Input Envelope <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"> <id xsi:type="xsd:string">12123</id> </q1:getInput> </soap:Body> DB <id xsi:type="xsd:string">12123</id> id=12123 Bal=$2500 <ns1:getInputReturn xsi:type="xsd:string"> $2500 </ns1:getInputReturn> SOAP Output Envelope Code filtering with IHTTPModule
HTTP Stack for IIS Request IIS aspnet_isapi.dll HttpApplication HttpHandler HttpModule HttpModule HttpModule Response Web Application Resource Web Application Client 146
HTTP Stack HttpRuntime HttpApplicationFactory HttpApplication HttpHandlerFactory HttpContext IHttpModule Handler HttpRequest HttpResponse IHttpHandler 147
HTTP Stack for .Net HttpRuntime HttpApplicationFactory HttpApplication HttpHandlerFactory IHttpModule Handler Web Application Firewall & IDS 148
IHTTPModule for Web Services Firewall Code walkthrough – Events and Hooks Loading the DLL Setting up the rules Up and running! Demo. Demo
Code walkthrough – Events and Hooks
Loading the DLL
Setting up the rules
Up and running!
Demo.
Conclusion Web Services can be vulnerable to various attack vectors. Footprinting and Discovery are start points. Scanning and Auditing can help in finding holes. Fuzzing is also important aspect. Top 10 – OWASP, for Web Services Scanning the code is equally important. Web Services Firewall – Armoring the app.
Web Services can be vulnerable to various attack vectors.
Footprinting and Discovery are start points.
Scanning and Auditing can help in finding holes.
Fuzzing is also important aspect.
Top 10 – OWASP, for Web Services
Scanning the code is equally important.
Web Services Firewall – Armoring the app.
.NET Web Services Hacking – Scan, Attacks and Defense Thanks!
7th OWASP AppSec Conference - San Jose 2007/Agenda. From OWASP. ... Secure Coding .NET Web Applications ... 2007 Track 3: Web Services Security 11:10-11:30 ...
Read more
Its now the OWASP & WASC AppSec 2007 Conference !!! @ eBay in San Jose, ... Secure Coding .NET Web Applications. T4. Web Services and XML Security.
Read more
According to the patterns & practices Improving Web Application Security ... (i.e. ethical hacking ... in Web application design requirements since 2007.
Read more
Android application hacking Advanced web application ... security code reviews in .NET, C/C++ ... Founder of AppSec Labs Application security ...
Read more
you can effect the way that .NET 3.0 will be. you have three ... asp?frame=true ASP.NET Web services to the Windows ... Application Security Arena.
Read more
The Microsoft Exchange Web Services (EWS) Managed API 1.2 provides a managed ... Microsoft Exchange Server 2007 Service ... .NET Framework 3.5 ...
Read more
The Microsoft .NET Framework 4 web installer package downloads and ... WCF Data Services is a component of the .NET Framework that enables you to ...
Read more
In 2007 webMethods was acquired by Software AG for $546 million ... The company was an early developer and promoter of standards for web service ...
Read more
Add a comment