1. Web Service Security James Walden Northern Kentucky University

2. CSC 666: Secure Software Engineering Web Services Web services are designed to provide:  Interoperability: services can be built on any framework in any language.  Reuse: code can be re-used among different applications. Services should be  Self-describing  Discoverable  Content-independent  Stateless

3. CSC 666: Secure Software Engineering Web Service Technologies 1.HTTP 2.XML 3.XPath 4.SOAP 5.WSDL

4. CSC 666: Secure Software Engineering eXtensible Markup Language Extensible descriptive markup language framework  Primarily used for data communication and storage.  Tree-based document structure using <> tags.  Began as simplified subset of SGML. Chris Pine Learn to Program

5. CSC 666: Secure Software Engineering XML Tree Structure Monday’s List Study for midterm SSE Class Bathe cat todo title Tuesday’s List item Study for midterm item Scripting Class priority 10 item Bathe Cat

6. CSC 666: Secure Software Engineering Elements and Attributes An element consists of tags and contents Learn to Program Begin and end tags are mandatory. Tags must be consistently nested. Attributes number=“0976694042” Elements may have zero or more attributes. Attribute values must always be quoted.

7. CSC 666: Secure Software Engineering XML Entities Entities are named data.  Default: < > & &apos; "  New entities can be defined in DTD.  Entities definitions can be recursive. <!DOCTYPE example [ ]> &copyright-notice; Numeric character references are not entities.  &# ; or &#x ; refers to Unicode code point.  &#xA9 above is used to refer to the copyright symbol.

8. CSC 666: Secure Software Engineering XML Syntax Rules 1.There is one and only one root tag. 2.Begin tags must be matched by end tags. 3.XML tags must be properly nested. 4.XML tags are case sensitive. 5.All attribute values must be quoted. 6.Whitespace within tags is part of text. 7.Newlines are always stored as LF. 8.HTML-style comments:

9. CSC 666: Secure Software Engineering Correctness Well-formed  Conforms to XML syntax rules.  A conforming parser will not parse documents that are not well-formed. Valid  Conforms to XML semantics rules given in -Document Type Definition (DTD) -XML Schema  A validating parser will not parse invalid documents.

10. CSC 666: Secure Software Engineering Malicious XML Insert additional element.  XML is well formed.  Validity depends on DTD.  Application will accept if it doesn’t validate. XML Security 59.99 0.01 Nunn Drive Highland Heights KY

11. CSC 666: Secure Software Engineering Validation DTD Schema http://www.w3.org/2001/XMLSchema Ensure that elements are present and are leaf nodes.

12. CSC 666: Secure Software Engineering Strict Validation Schemas can also validate data using regexps. http://www.w3.org/2001/XMLSchema

13. CSC 666: Secure Software Engineering Bypassing Validation Include DTD in malicious XML file. <!DOCTYPE bookOrder [ ]> XML Security 59.99 0.01 Nunn Drive Highland Heights KY Alternately:

14. CSC 666: Secure Software Engineering External Entity References Use entity references to read files on server filesystem. <!DOCTYPE bookOrder [ ]> &eer;

15. CSC 666: Secure Software Engineering XML Injection Include element in shipping address.  User input for street is “Nunn Drive 0.01 Nunn Drive” XML Security 59.99 Nunn Drive 0.01 Nunn Drive Highland Heights KY

16. CSC 666: Secure Software Engineering XPath Language for selecting nodes from XML.  Combines directory-type paths + regexps.  XPath 2.0 basis for XQuery SQL-like language. XML Security 59.99 Nunn Drive Highland Heights KY Examples  bo: children of bo node  /bo: root bo element  //bo: all bo elements  bo//title: all titles  //bo/[price=’39’]: all bo nodes with a price of 39.

17. CSC 666: Secure Software Engineering XPath Searching XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); String query = “//users/user[@name=‘” + name + “’ and @pass=‘” + pass + “’”; return xp.evaluate(query, input);

18. CSC 666: Secure Software Engineering XPath Injection Set pass to ‘ or ‘a’ = ‘a  //users/user[name=‘John’ and pass=‘’ or ‘a’ = ‘a’]  Returns all users. Set name to ‘ or id=1 or ‘’=‘  //users/user[name=‘John’ or id=1 or ‘’=‘’ and pass=‘letmein’]  Returns all users with id=1 XQuery Injection in the future  Supports conditionals + loops.  User-defined functions.

19. CSC 666: Secure Software Engineering Mitigating XPath Injection Use XPath bind variables  Similar to SQL prepared statement variables. XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); XPathBindVariables bv = new XPathBindVariables(); xp.setXPathVariableResolver(bv); bv.bindVar(“ID”, id); bv.bindVar(“NAME”, name); String query = “//users/user[@name=$NAME and @pass=$PASS”]”; return xp.evaluate(query, input);

20. CSC 666: Secure Software Engineering SOAP Simple Object Access Protocol  RPC protocol using XML methods.  Primarily uses HTTP as transport protocol, to bypass firewalls and support proxies. Vulnerabilities  XML injection  Session management  Identified + documented by WSDL

21. CSC 666: Secure Software Engineering SOAP Request POST /order HTTP/1.1 Host: example.com Content-Type: text/xml; charset="utf-8" Content-Length: nnnn <soap:Envelope xmlns:soap ="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/ encoding/"> 978-0321424778 1

22. CSC 666: Secure Software Engineering SOAP Response HTTP/1.1 200 OK Content-Type: text/xml; charset="utf-8" Content-Length: nnnn <soap:Envelope xmlns:soap ="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/ encoding/"> 978-0321424778 49.99 1

23. CSC 666: Secure Software Engineering WSDL Web Services Description Language  Service: contains set of messages.  Message: an individual operation.  Port: address (URL) of service.  Binding: port type, such as SOAP and SOAP binding type.

24. CSC 666: Secure Software Engineering WSDL Enumeration Obtain list of services and messages.  WSDL file typically published by default. Finding WSDL files  Append ?WSDL or.WSDL to service URL.  Lookup WSDL files on UDDI servers.  Google hacking, filetype:wsdl inurl:wsdl Mitigation  Avoid publishing WSDL file.  J2EE: remove wsdl.location from properties.

25. References 1.Nischal Bhalla and Sahba Kazerooni, “Web Services Vulnerabilities,” Black Hat Briefings EU, http://www.blackhat.com/presentations/bh- europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, 2007.http://www.blackhat.com/presentations/bh- europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf 2.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007. 3.Billy Hoffman and Bryan Sullivan, AJAX Security, Addison-Wesley, 2008. 4.Paco Hope and Ben Walther, Web Security Testing Cookbook, O’Reilly, 2009. 5.iSEC Partners, Attacking Web Services, OWASP AppSec DC, https://www.isecpartners.com/documents/iSEC-Attacking-Web- Services.OWASP.pdf, 2005. https://www.isecpartners.com/documents/iSEC-Attacking-Web- Services.OWASP.pdf 6.Ramarao Kanneganti and Prasad Chodavrapu, SOA Security, Manning, 2008. 7.OWASP, OWASP Guide to Building Secure Web Applications, http://www.owasp.org/index.php/OWASP_Guide_Project, 2009. http://www.owasp.org/index.php/OWASP_Guide_Project 8.Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, 2008. 9.w3schools, SOAP Tutorial, http://www.w3schools.com/soap/default.asp.