Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation AppSec DC Techniques in Attacking and Defending XML/Web Services Jason Macy & Mamoon Yunus Crosscheck Networks.

Similar presentations


Presentation on theme: "The OWASP Foundation AppSec DC Techniques in Attacking and Defending XML/Web Services Jason Macy & Mamoon Yunus Crosscheck Networks."— Presentation transcript:

1 The OWASP Foundation AppSec DC Techniques in Attacking and Defending XML/Web Services Jason Macy & Mamoon Yunus Crosscheck Networks – Forum Systems November 13, 2009

2 OWASP 2 Agenda 1.Introduction to XML/Web Services Threats 2.Techniques for Defending XML Threats 3.XML Attack Examples and Classification SQL Injection Denial of Service XSD Mutation 4.Review Attack Examples by: Attack Definition: Scenario Setup Attack Vectors: Building Penetration Tests Post-Attack Analysis: XML Vulnerability Detection Countermeasures: XML Gateway

3 OWASP Vectors SOAP, XML, REST Introduction to XML Threats 1..N source IP SQL Injection XSD Mutation Virus Malware Identity Discovery Denial of Service Vectors Explicit Attacks Forced Disruption Bring Down or Limit Enterprise Service Availability Information TheftGain Access to Enterprise Resources Vendor DiscoveryExpose Known Traditional Attacks Implicit Vulnerability Perimeter BreachEmbedded Virus, Malware Infrastructure MalfunctionParser and Data Processing Failures

4 OWASP New Attack Vectors  Protocol Firewalls are Blind to XML  Malware and Virus delivered via SOAP Attachments  WSDL Exposes Schema and Message Structure  Injection Attacks Exposed VIA XML Parameters  Data Replay Attacks SOAP/XML Web Service Client

5 OWASP 5 Security Testing - Base Requirements Security Framework Sign, Encrypt, Decrypt, SSL Identity Framework Basic Auth, SSL Auth, WS-Security Token Auth Parameter Injection Database or File Driven Permutations for Security, Identity, and SOAP/XML Concurrent Client Simultaneous Loading Denial of Service Testing SOAP with Attachments Malware and Virus testing Dynamic XSD Mutation Derive SOAP Vulnerability profile from WSDL Schema

6 OWASP 6 XML Security Gateway - Base Requirements Transaction Privacy Encryption, Decryption, SSL Transaction Integrity Digital Signature, Signature Verification, Schema Validation Transaction Accountability Archiving, Logging, Reporting, and Monitoring Transaction Threat Mitigation Intrusion Detection and Prevention Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition Structural integrity, Protocol adherence, Authorization Attempts Certified PKI Infrastructure (DOD PKI) X509 Path Validation Sign/Verify, SSL Initiation, SSL Termination Certified Security Architecture (FIPS) Key Management and Storage Physical Device Security

7 OWASP 7 XML Attack Examples and Classification 1.SQL Injection Attack Classification: Injection, Data Excavation 2.Denial of Service Attack Classification: Resource Depletion 3.XSD Mutation Attack Classification: Data Structure Attacks, Resource Manipulation CAPEC: Common Attack Pattern Enumeration and Classification National Cyber Crime Division of DHS

8 OWASP 8 XML Web Services based SQL Injection Attack

9 OWASP 9 SQL Injection Unsecured How to Attack Construct SQL Escape Sequences Construct SQL 1=1 Query Inject into XML Node values Discovered Exposure Sensitive Data Loss Database Corruption MySQL o PHP o NuSOAP o PHP o NuSOAP Apache

10 OWASP 10 SQL Injection 1.What is it? SQL injection is a technique that exploits a vulnerability that occurs in the database layer of an application. Application incorrectly filters for a string literal escape characters embedded in SQL statements. 2.Example: Good: ‘select * from accounts where username="'. $username. '"'. 'AND password="'. $password. ’"; Evil: select * from accounts where username="" or 1=1 #"AND password="””; 3.Attack Vector: Old: User input from a browser-based application New: XML Web Services – WSDL defined Interface

11 OWASP 11 Component Details – MySQL Database o Test MySQL Database o phpMyAdmin UI o Accounts Table Data o Test MySQL Database o phpMyAdmin UI o Accounts Table Data

12 OWASP 12 Component Details – PHP Application 1. Function: getAccounts() 2. Connect to Database 3. Construct SQL Query: Great Vulnerability Point 3. Construct SQL Query: Great Vulnerability Point 4. Execute Query 5. Parse Query Results 6. Register function as a Web Service

13 OWASP SQL Injection over SOAP Message – Unsecured 13 SQL Injection over XML/SOAP Full Table Returned in SOAP Response: 34 Records Pointed to Service Endpoint Advertises use of PHP Pointed to Service Endpoint Advertises use of PHP

14 OWASP 14 SQL Injection XML Gateway Secured o Inbound Pattern Detection o Prevent Outbound Leaks o Inbound Pattern Detection o Prevent Outbound Leaks XML Gateway Client How to Defend Deploy XML Gateway Enable Pattern Scanning IDP Rules Configure Response Message Size and Complexity Limits Advantages Prevent Data Loss Alert and Quarantine Attempted Breaches MySQL o PHP o NuSOAP o PHP o NuSOAP Apache

15 OWASP SQL Injection over XML/SOAP – Sentry Protection Policy 15 o Pre-built Pattern Matching for SQL Injection Detection o Extensible for Business Specific Requirements o Pre-built Pattern Matching for SQL Injection Detection o Extensible for Business Specific Requirements

16 OWASP SQL Injection over SOAP Message – Secured 16 SQL Injection over XML/SOAP SOAP Request Stopped by XML Gateway Pointed through XML Gateway Endpoint Technology Obfuscated Pointed through XML Gateway Endpoint Technology Obfuscated

17 OWASP 17 XML Web Services based Denial of Service Attack

18 OWASP 18 Denial of Service Unsecured Web Service Client How to Attack Loading Client with Concurrent Simultaneous Threads Coercive Parsing Attack Discovered Exposure Unlimited message flow Unfair Service SLA distribution Back-end CPU and I/O Saturation

19 OWASP Denial of Service – Unsecured 19 Capable of ~700 TPS No restrictions on Client Capable of ~700 TPS No restrictions on Client Multiply Service running on IIS

20 OWASP 20 Denial of Service XML Gateway Secured o Enforce Transaction Rate XML Gateway Web Service Client How to Defend Deploy XML Gateway Set Allowed Transaction Rates (Group, User, or IP) Advantages Message Flow Limited to Specified Rate Service Throughput Fairly Distributed Back-end mitigated from CPU and I/O Saturation

21 OWASP Denial of Service – Sentry Protection Rule TPS Restriction Policy Granular Enforceability Configure Action Custom Message Configure Action Custom Message

22 OWASP Denial of Service – Sentry Protection Action 22 Action: Abort Processing Additional Options: Throttle, Block Stealth Mode to suppress data leaks via responses Additional Options: Throttle, Block Stealth Mode to suppress data leaks via responses Prevent log flooding Quarantine Messages for further analysis

23 OWASP Denial of Service – Secured 23 Request: Multiply a x b sent through XML Gateway 20 TPS Restriction triggered Client cannot invoke a DoS ~ 680 TPS service capacity remains 20 TPS Restriction triggered Client cannot invoke a DoS ~ 680 TPS service capacity remains

24 OWASP 24  Echo Request: s= test  All responses are successful  well-formed XML  Min 1.20 ms  Max 3.50 ms  Ave 1.60 ms  Echo Request: s= test  All responses fail  XML not well-formed  Min 2.10 ms  Max 5.0 ms  Ave 2.73 ms test test ” > 70% Degradation by removing one character Another Example: Denial of Service through Coercive Parsing

25 OWASP 25 XML Web Services Based XSD Mutation Attack

26 OWASP 26 XSD Mutation Attack Unsecured Client How to Attack Obtain WSDL Derive Message Structure and Types from WSDL Schema Send SOAP Message Mutations based on Schema Discovered Exposure Code Paths not Handled for Exceptions Stack Traces Returned with Implementation Details Application Failure Web Service

27 OWASP XSD Mutation Attack – Lifecycle 27 Author Attack Vectors Run Attack Analyze Results Analyze Results Add New Detection Libraries Add New Detection Libraries Vulnerability Report

28 OWASP XSD Mutation: Building Attack Vectors 28 Service Loaded from endpoint Mutant Messages generated based on WSDL – XSD Data type, structure, size mutations Mutant Messages generated based on WSDL – XSD Data type, structure, size mutations

29 OWASP XSD Mutation: Analyze Attack 29 Test generated based on WSDL complexity Sample Data Value Mutation username contains string value mutation response reveals backend components and method calls

30 OWASP XSD Mutation: Extend Detection Libraries 30 Vulnerability Detection Libraries Application/Platform Specific Business Specific – SSN, Credit Card Vulnerability Detection Libraries Application/Platform Specific Business Specific – SSN, Credit Card Look for nusoap.php High Severity – Open source Parser Look for nusoap.php High Severity – Open source Parser

31 OWASP 31 XSD Mutation Attack XML Gateway Secured o Enforce Inbound Schema Validation o Prevent Outbound Data Leaks o Enforce Inbound Schema Validation o Prevent Outbound Data Leaks XML Gateway Client How to Defend Deploy XML Gateway Enforce Inbound Message Structure and Type Validation Cleanse Outbound Data (Stack Traces, Sensitive Data) Advantages Reduce Parser Impact on Web Service Remove Vendor and Implementation Details in Response Protect Application Layer Code Paths on Web Service Web Service

32 OWASP XSD Mutation – Sentry Protection Policy 32 XML Gateway provides Policies to protect against XML specific attacks

33 OWASP XSD Mutation – Secured 33 1.Deploy Specialized XML Gateways – Packet Firewalls and HTML Application Firewalls are insufficient 2.Validate XML against a robust schema 3.Tighten Schema: e.g., string  string Enforce XML specific detection rules  e.g., node depth, recursive payloads

34 OWASP 34 Best Practices for Countermeasures Information Control – Outbound  Restrict SOAP Faults  Protect Sensitive Information  Audit Transaction Flows Use Web Services Penetration Testing Product  Out of the box Vulnerability Discovery  Simplified Testing and Diagnostics of Service Endpoint  Validation of Security Gateway Policies Deploy XML Web Services Gateway  Forum Systems Sentry XML Gateway  Barracuda  Radware AppXML Deploy Centralized XML Security  Enforce Policy Independent of Application Servers and OS Platforms  Audit and Filter Sensitive Information  Separate Security from Application Code Information Control – Inbound  Tighten Payloads  Enforce SLA  Disallow SQL, Virus, Malicious Code

35 OWASP 35 Learn and


Download ppt "The OWASP Foundation AppSec DC Techniques in Attacking and Defending XML/Web Services Jason Macy & Mamoon Yunus Crosscheck Networks."

Similar presentations


Ads by Google