Web Service Security James Walden Northern Kentucky University.

Slides:



Advertisements
Similar presentations
XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.
Advertisements

An Introduction to XML Based on the W3C XML Recommendations.
Extensible Markup Language Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Agenda from now on Done: SQL, views, transactions, conceptual modeling, E/R, relational algebra. Starting: XML To do: the database engine: –Storage –Query.
XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302
Thayer School of Engineering Dartmouth Lecture 2 Overview Web Services concept XML introduction Visual Studio.net.
XML Extensible Markup Language. Today: Imagine Cup –Wednesday, February 2nd from 6-8 pm in Lally Hall, Room 104, we will have a representative on campus.
Introduction to XML This material is based heavily on the tutorial by the same name at
Aalborg University – Department of Production XML Extensible Markup Language Kaj A. Jørgensen Aalborg University, Department of Production XML – Extensible.
HTTP and Server Security James Walden Northern Kentucky University.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 XML Taken from Chapter 7.
XML Anisha K J Jerrin Thomas. Outline  Introduction  Structure of an XML Page  Well-formed & Valid XML Documents  DTD – Elements, Attributes, Entities.
Web Applications and Services
Introduction to XML cs3505. References –I got most of this presentation from this site –O’reilly tutorials.
XML eXtensible Markup Language by Darrell Payne. Experience Logicon / Sterling Federal C, C++, JavaScript/Jscript, Shell Script, Perl XML Training XML.
CREATED BY ChanoknanChinnanon PanissaraUsanachote
1Computer Sciences Department Princess Nourah bint Abdulrahman University.
XML: Overview MIS 181.9: Service Oriented Architecture 2 nd Semester,
SOAP Tutorial Ching-Long Yeh 葉慶隆 Department of Computer Science and Engineering Tatung University
CIT 383: Administrative ScriptingSlide #1 CIT 383: Administrative Scripting XML.
XML What is XML? XML v.s. HTML XML Components Well-formed and Valid Document Type Definition (DTD) Extensible Style Language (XSL) SAX and DOM.
CISC 3140 (CIS 20.2) Design & Implementation of Software Application II Instructor : M. Meyer Address: Course Page:
Introduction to XML 1. XML XML started out as a standard data exchange format for the Web Yet, it has quickly become the fundamental instrument in the.
XML 1 Enterprise Applications CE00465-M XML. 2 Enterprise Applications CE00465-M XML Overview Extensible Mark-up Language (XML) is a meta-language that.
August Chapter 2 - Markup and Core Concepts Learning XML by Erik T. Ray Slides were developed by Jack Davis College of Information Science and Technology.
XP 1 DECLARING A DTD A DTD can be used to: –Ensure all required elements are present in the document –Prevent undefined elements from being used –Enforce.
James Holladay, Mario Sweeney, Vu Tran. Web Services Presentation Web Services Theory James Holladay Tools – Visual Studio Vu Tran Tools – Net Beans Mario.
CSC8530 Distributed Systems XML Web Services David Vaglia.
 XML is designed to describe data and to focus on what data is. HTML is designed to display data and to focus on how data looks.  XML is created to structure,
Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.
1 Tutorial 13 Validating Documents with DTDs Working with Document Type Definitions.
Avoid using attributes? Some of the problems using attributes: Attributes cannot contain multiple values (child elements can) Attributes are not easily.
1 Chapter 10: XML What is XML What is XML Basic Components of XML Basic Components of XML XPath XPath XQuery XQuery.
JSTL, XML and XSLT An introduction to JSP Standard Tag Library and XML/XSLT transformation for Web layout.
XML – An Introduction Structured Data Mark-up James McCartney CSCE 590, Cluster and Grid Computing.
Softsmith Infotech XML. Softsmith Infotech XML EXtensible Markup Language XML is a markup language much like HTML Designed to carry data, not to display.
XML Documents Chao-Hsien Chu, Ph.D. School of Information Sciences and Technology The Pennsylvania State University Elements Attributes Comments PI Document.
Introduction to XML This presentation covers introductory features of XML. What XML is and what it is not? What does it do? Put different related technologies.
XML Instructor: Charles Moen CSCI/CINF XML  Extensible Markup Language  A set of rules that allow you to create your own markup language  Designed.
17 Apr 2002 XML Syntax: Documents Andy Clark. Basic Document Structure Element tags – Elements have associated attributes Text content Miscellaneous –
Lecture 16 Introduction to XML Boriana Koleva Room: C54
School of Computing and Information Systems CS 371 Web Application Programming XML and JSON Encoding Data.
Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.
An Introduction to XML Sandeep Bhattaram
McGraw-Hill/Irwin © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Understanding How XML Works Ellen Pearlman Eileen Mullin Programming the.
XML Introduction. What is XML? XML stands for eXtensible Markup Language XML stands for eXtensible Markup Language XML is a markup language much like.
An Introduction to XML Paul Donohue May 8th 2002 Hotel Senator Zürich.
1 Web Services Web and Database Management System.
XML, XSL, and SOAP Building Object Systems from Documents CSC/ECE 591o Summer 2000.
CS 157B: Database Management Systems II February 11 Class Meeting Department of Computer Science San Jose State University Spring 2013 Instructor: Ron.
Chapter 10 XML and Web Services. Topics Why a standards-compliant XML parser Why a standard (off the shelf) XML parser Validation. External references.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 4 1COMP9321, 15s2, Week.
Web Technologies Lecture 4 XML and XHTML. XML Extensible Markup Language Set of rules for encoding a document in a format readable – By humans, and –
What is XML? eXtensible Markup Language eXtensible Markup Language A subset of SGML (Standard Generalized Markup Language) A subset of SGML (Standard Generalized.
XML CSC1310 Fall HTML (TIM BERNERS-LEE) HyperText Markup Language  HTML (HyperText Markup Language): December  Markup  Markup is a symbol.
XP Tutorial 9New Perspectives on HTML and XHTML, Comprehensive 1 Working with XHTML Creating a Well-Formed Valid Document Tutorial 9.
Martin Kruliš by Martin Kruliš (v1.1)1.
XML blocks XML STRUCTURE The most basic building blocks of an XML file are elements, attributes and comments. Compiled based on Tutorial PhUSE 2008 XML.
Introduction to Web Services Presented by Sarath Chandra Dorbala.
XML CORE CSC1310 Fall XML DOCUMENT XML document XML document is a convenient way for parsers to archive data. In other words, it is a way to describe.
C Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Introduction to XML Standards.
Introduction to XML Kanda Runapongsa Dept. of Computer Engineering Khon Kaen University.
Jackson, Web Technologies: A Computer Science Perspective, © 2007 Prentice-Hall, Inc. All rights reserved Chapter 7 Representing Web Data:
XML Notes taken from w3schools. What is XML? XML stands for EXtensible Markup Language. XML was designed to store and transport data. XML was designed.
Extensible Markup Language (XML) Pat Morin COMP 2405.
XML BASICS and more…. What is XML? In common:  XML is a standard, simple, self-describing way of encoding both text and data so that content can be processed.
Unit 4 Representing Web Data: XML
XML in Web Technologies
Chapter 7 Representing Web Data: XML
Presentation transcript:

Web Service Security James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Web Services Web services are designed to provide:  Interoperability: services can be built on any framework in any language.  Reuse: code can be re-used among different applications. Services should be  Self-describing  Discoverable  Content-independent  Stateless

CSC 666: Secure Software Engineering Web Service Technologies 1.HTTP 2.XML 3.XPath 4.SOAP 5.WSDL

CSC 666: Secure Software Engineering eXtensible Markup Language Extensible descriptive markup language framework  Primarily used for data communication and storage.  Tree-based document structure using <> tags.  Began as simplified subset of SGML. Chris Pine Learn to Program

CSC 666: Secure Software Engineering XML Tree Structure Monday’s List Study for midterm SSE Class Bathe cat todo title Tuesday’s List item Study for midterm item Scripting Class priority 10 item Bathe Cat

CSC 666: Secure Software Engineering Elements and Attributes An element consists of tags and contents Learn to Program Begin and end tags are mandatory. Tags must be consistently nested. Attributes number=“ ” Elements may have zero or more attributes. Attribute values must always be quoted.

CSC 666: Secure Software Engineering XML Entities Entities are named data.  Default: < > & &apos; "  New entities can be defined in DTD.  Entities definitions can be recursive. <!DOCTYPE example [ ]> &copyright-notice; Numeric character references are not entities.  &# ; or &#x ; refers to Unicode code point.  &#xA9 above is used to refer to the copyright symbol.

CSC 666: Secure Software Engineering XML Syntax Rules 1.There is one and only one root tag. 2.Begin tags must be matched by end tags. 3.XML tags must be properly nested. 4.XML tags are case sensitive. 5.All attribute values must be quoted. 6.Whitespace within tags is part of text. 7.Newlines are always stored as LF. 8.HTML-style comments:

CSC 666: Secure Software Engineering Correctness Well-formed  Conforms to XML syntax rules.  A conforming parser will not parse documents that are not well-formed. Valid  Conforms to XML semantics rules given in -Document Type Definition (DTD) -XML Schema  A validating parser will not parse invalid documents.

CSC 666: Secure Software Engineering Malicious XML Insert additional element.  XML is well formed.  Validity depends on DTD.  Application will accept if it doesn’t validate. XML Security Nunn Drive Highland Heights KY

CSC 666: Secure Software Engineering Validation DTD Schema Ensure that elements are present and are leaf nodes.

CSC 666: Secure Software Engineering Strict Validation Schemas can also validate data using regexps.

CSC 666: Secure Software Engineering Bypassing Validation Include DTD in malicious XML file. <!DOCTYPE bookOrder [ ]> XML Security Nunn Drive Highland Heights KY Alternately:

CSC 666: Secure Software Engineering External Entity References Use entity references to read files on server filesystem. <!DOCTYPE bookOrder [ ]> &eer;

CSC 666: Secure Software Engineering XML Injection Include element in shipping address.  User input for street is “Nunn Drive 0.01 Nunn Drive” XML Security Nunn Drive 0.01 Nunn Drive Highland Heights KY

CSC 666: Secure Software Engineering XPath Language for selecting nodes from XML.  Combines directory-type paths + regexps.  XPath 2.0 basis for XQuery SQL-like language. XML Security Nunn Drive Highland Heights KY Examples  bo: children of bo node  /bo: root bo element  //bo: all bo elements  bo//title: all titles  //bo/[price=’39’]: all bo nodes with a price of 39.

CSC 666: Secure Software Engineering XPath Searching XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); String query = + name + “’ + pass + “’”; return xp.evaluate(query, input);

CSC 666: Secure Software Engineering XPath Injection Set pass to ‘ or ‘a’ = ‘a  //users/user[name=‘John’ and pass=‘’ or ‘a’ = ‘a’]  Returns all users. Set name to ‘ or id=1 or ‘’=‘  //users/user[name=‘John’ or id=1 or ‘’=‘’ and pass=‘letmein’]  Returns all users with id=1 XQuery Injection in the future  Supports conditionals + loops.  User-defined functions.

CSC 666: Secure Software Engineering Mitigating XPath Injection Use XPath bind variables  Similar to SQL prepared statement variables. XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); XPathBindVariables bv = new XPathBindVariables(); xp.setXPathVariableResolver(bv); bv.bindVar(“ID”, id); bv.bindVar(“NAME”, name); String query = return xp.evaluate(query, input);

CSC 666: Secure Software Engineering SOAP Simple Object Access Protocol  RPC protocol using XML methods.  Primarily uses HTTP as transport protocol, to bypass firewalls and support proxies. Vulnerabilities  XML injection  Session management  Identified + documented by WSDL

CSC 666: Secure Software Engineering SOAP Request POST /order HTTP/1.1 Host: example.com Content-Type: text/xml; charset="utf-8" Content-Length: nnnn <soap:Envelope xmlns:soap =" soap:encodingStyle=" encoding/">

CSC 666: Secure Software Engineering SOAP Response HTTP/ OK Content-Type: text/xml; charset="utf-8" Content-Length: nnnn <soap:Envelope xmlns:soap =" soap:encodingStyle=" encoding/">

CSC 666: Secure Software Engineering WSDL Web Services Description Language  Service: contains set of messages.  Message: an individual operation.  Port: address (URL) of service.  Binding: port type, such as SOAP and SOAP binding type.

CSC 666: Secure Software Engineering WSDL Enumeration Obtain list of services and messages.  WSDL file typically published by default. Finding WSDL files  Append ?WSDL or.WSDL to service URL.  Lookup WSDL files on UDDI servers.  Google hacking, filetype:wsdl inurl:wsdl Mitigation  Avoid publishing WSDL file.  J2EE: remove wsdl.location from properties.

References 1.Nischal Bhalla and Sahba Kazerooni, “Web Services Vulnerabilities,” Black Hat Briefings EU, europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf 2.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, Billy Hoffman and Bryan Sullivan, AJAX Security, Addison-Wesley, Paco Hope and Ben Walther, Web Security Testing Cookbook, O’Reilly, iSEC Partners, Attacking Web Services, OWASP AppSec DC, Services.OWASP.pdf, Services.OWASP.pdf 6.Ramarao Kanneganti and Prasad Chodavrapu, SOA Security, Manning, OWASP, OWASP Guide to Building Secure Web Applications, Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, w3schools, SOAP Tutorial,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.