Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Attacking Web Services Jason Alexander
OWASP 2 What are Web Services? No single definition SOA, SOAP, REST, XML, WSDL, UDDI “ A web service is a software component developed to support interoperability over a network using an interface described in WSDL. Other systems communicate with the web service using SOAP messages that are typically transported using the HTTP protocol with XML messaging.”
OWASP What are Web Services..cont For our purposes, web services are communication protocols that: Use XML as the base meta language Provide computer to computer communication Use standard protocols, often in line with W3C, OASIS and WS-I Designed to be platform and transport independent 3
OWASP What are Web Services..cont Why are they popular? -Quote “lets expose our mainframe API’s through SOAP and use plentiful Java developers on Win/Lin instead of rare CICS developers on expensive mainframes to extend system functionality” With an argument like that, what PHB could say no? 4
OWASP What are Web Services..cont Usually deployed over port 80/443 Web Services We poke holes in your firewall so you don’t have to OR FBP -Firewall bypass protocol 5
OWASP Threats All the “usual suspects” Injection Attacks Scripting Attacks Broken Authentication Security Mis-configuration OWASP Top 10 any one? And more……… 6
OWASP Attacking Web Services Follows basic concept of Web Application attacks Discovery Enumeration & information Gathering Identifying Attack Vectors Exploitation Whitebox assessment – code analysis 7
OWASP Discovery Find Web Services entry points This is in the WSDL How to find the WSDL? UDDI –Universal Description Discovery and Integration UBR – Universal Business Registry Google is your friend ! inurl:wsdl site:example.com 8
OWASP Discovery..cont 9
OWASP Discovery..cont 10
OWASP Discovery..cont Google Sample inurl:wsdl site:nhs.uk ?WSDL smx?WSDL Crawling technique wget –l 50 –r Find. –name *wsdl* 11
OWASP Enumeration & information Gathering Standard Web application enumeration telnet HEAD / HTTP/1.0 HTTP/ OK Server Microsoft-IIS/5.0 X-Powered-By:ASP.net 12
OWASP Enumeration & information Gathering..cont WSDL – All an attacker needs to know to interface with the service Auto-Generated by WS framework Generally not created or consumed by humans No access controls generally enforced on WSDL’s Do you really need to provide a WSDL ????? 13
OWASP Enumeration & information Gathering..cont WSDL Example: Ebay Price Watching 14 <definitions name="eBayWatcherService" targetNamespace= " xmlns:tns=" e.wsdl" xmlns:xsd=" xmlns:soap=" xmlns=" <input message="tns:getCurrentPriceRequest" name="getCurrentPrice"/> <output message="tns:getCurrentPriceResponse" name="getCurrentPriceResponse"/> <soap:binding style="rpc" transport=" <soap:body use="encoded" namespace="urn:xmethods-EbayWatcher" encodingStyle=" /> <soap:body use="encoded" namespace="urn:xmethods-EbayWatcher" encodingStyle=" />
OWASP Enumeration & information Gathering..cont Using Tools to profile web services wsKnight Wsdigger SoapUI etc DEMO 15
OWASP Attack Vectors Most of the web application attack vectors can be applied to web services Injection & Scripting attacks apply Specific SOAP orientated attacks XML Poisoning SOAP message brute forcing SOAP parameter manipulation XML parser attacks Could take a whole lot of time to discuss all attacks! 16
OWASP Attack Vectors..cont Spot the attack! <SOAP-ENV:Envelope SOAP-ENV:encodingStyle=" xmlns:SOAP-ENC=" xmlns:xsi=" xmlns:SOAP-ENV=" xmlns:xsd=" ' default 17
OWASP Attack Vectors..cont DEMO 18
OWASP Counter Measures Do you need a WSDL? Has it been sanitised? Secure coding. Utilise OWASP resources OWASP Coding guide – Input validation OWASP TOP 10 OWASP Testing Guide OWASP WS project – needs volunteers es_Security_Project es_Security_Project 19
OWASP Counter Measures..cont Protect messages in transit TLS is the BEST option and fits most models XML signing and encryption have their uses but are difficult to implement WS-Security Web Application Firewalls (WAF) Do they work in a SOAP/XML environment? New breed of technology – XML gateways! Regular firewalls do not work! 20
OWASP Resources DISCO: UDDI OASIS Standard: Understanding UDDI: WebServices Testing: Tools Net Square wsPawn OWASP WebScarab: Web Services plugin OWASP WebScarab Mac OSX Soap Client: Foundstone WsDigger: SoapBox SoapUI: SOAPClient4XG: CURL: On-line tools Web Services Directory: Seekda: UDDI Browser: Xmethods: WSIndex: 21
OWASP References Hacking web services by Sheeraj Shah How to Break Web Software by Mike Andrews and James Whittaker Attacking Web Services by Alex Stamos 22