1 / 33

Teaching a New Dog Old Tricks

RUXCON ‘06. Web Services. Teaching a New Dog Old Tricks. Daniel Grzelak / Colin Wong. About Us. SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst daniel.grzelak@sift.com.au Colin Wong Found him outside colin.wong@sift.com.au.

cissy
Download Presentation

Teaching a New Dog Old Tricks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RUXCON ‘06 Web Services Teaching a New Dog Old Tricks Daniel Grzelak / Colin Wong

  2. About Us • SIFT • Independent information security services • http://ww.sift.com.au/ • Daniel Grzelak • Technical analyst • daniel.grzelak@sift.com.au • Colin Wong • Found him outside • colin.wong@sift.com.au

  3. Outline • Web services basics • The past, the present, the future • Client testing • Web method enumeration • XML port scanning • Structured testing framework

  4. Web Services Essentials • XML-based remote procedure call • Simple Object Access Protocol (SOAP) • Web Services Description Language (WSDL) • Multiple transport bindings • HTTP, SMTP, FTP etc. • Interoperable, heterogeneous, magical! “Oh yeah, aight. Aight, I put on my robe and wizard hat.“

  5. Why Test Web Services? • High enterprise take-up in high value projects • Authentication services • Supply chain integration (B2B) • Exposing legacy systems • External APIs • Transactions and critical business functions • Web services will become increasingly widespread

  6. New Dog, Old Tricks • Web services share vulnerabilities with traditional distributed technologies • Lots of the same attacks apply but with better structure (XML) • Web services platforms make it “too easy” • Code web services as a traditional object • Platform automagically turns it into a service • Minimal (if any) security

  7. Client Testing • Web services security testing tends to focus on the web service itself • Clients are most often custom made • These can also be vulnerable • Clients are where the users are at • Users are the weakest link • Own the client and you can attack the users

  8. Old Client Tricks • Similar to JavaScript attacks in web apps • Target the browser not the server • Large client/server software houses have learnt to look at the client • Internet Explorer • Real Player • Web services clients get overlooked

  9. Client Attacks • Evil twin • DNS hacking • ARP poisoning • Hard to execute blind, possession of the client helps • Testing • Consume WSDL and become the web service • Once client talks to cloned web service, fuzz outputs and analyse client app response • Thorough logging must exist

  10. Web Method Enumeration • WSDL may not describe all allowed operations • Can be manually modified • Programmers love hidden backdoors • We would like to be able to find the secrets • Hidden administration interfaces or functions • Test or debug functions • Anything else we’re not supposed to get to

  11. Web Method Search • Perform a dictionary attack on web method names in a web service • Typically in the form of <verb><noun> • GetToken • AuthenticateUser • SetPassword • CreateAccount • Create or use ready-made verb and noun lists

  12. Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/webMethodName Content-Type: text/xml <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <webMethodName xmlns="tns">a</webMethodName> </soap:Body> </soap:Envelope>

  13. Analyse Responses • Test with each verb/noun combination • Analyse response of the web service • Can determine if the tested method exists • Combination exists • Successful call • Missing or incorrect parameter errors • Illegal argument or null reference errors • Combination does not exist • Operation not defined errors • No such operation or method • Bad SOAP action

  14. Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

  15. Web Method Searching (For Bugs?) • DirectoryException: cannot automatically create subdirectory http: at • <result xsi:type="xsd:string">null not in database (yet)</result> • <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) • <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring • SQL syntax errors

  16. Web Method Search Tool • Automated execution of dictionary attack with supplied wordlists • Analysis of responses against configurable response elements • Results may match multiple matters • Supports multiple weightings

  17. Web Method Search Tool • Demonstration • http://www.sift.com.au/73/0/tools.htm

  18. Workarounds and Mitigating Strategies • Security through obscurity does not work • Do not keep web methods secret because they will not remain secret • Input Validation

  19. XML Port Scanning • Everyone loves XML • Has become the standard for information exchange • Ubiquitous support by all vendors and platforms • Firewalls block most traffic at the perimeter • Except maybe 80 and 443 • Can we get behind the firewall to scan? • Maybe if we ask nicely

  20. Traditional Port Scan

  21. Document Type Definition • Allows you to define the valid elements of an XML document • Can dynamically build a DTD using references to external DTD definitions • Can define external entities that can be used within the XML document

  22. XML Parser Abuse • Abuse the ability for XML parsers to dereference external sources • Use DTD elements to get the parser to initiate connections on our behalf • The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM "http://192.168.1.1:22/">]> <scan>&test;</scan>

  23. Analyse Responses • We can infer the result of the attempted connection from the XML parser response • Closed ports result in a connection refused error • Open ports that respond to a HTTP request result in other errors or no error at all • Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout • Can only scan one port per XML document • Cycle through all target ports and systems

  24. Applicability • This attack can be launched against XML endpoints • Cannot be used directly against SOAP • SOAP explicitly disallows DTD • Potential targets • AJAX APIs • XML document inputs • Encoded XML within SOAP parameters

  25. Impacts • Port scanning of systems in your DMZ • Effectively transports the scanning to the parser • You can see whatever the XML parser can see • Firewalls won’t help you • XML is valid traffic • SSL protects attack traffic

  26. XML Port Scan

  27. XML Port Scanning • Demonstration

  28. Workarounds and Mitigating Strategies • Disable external entity elements • Or define allowed external elements • Prohibit DTDs • Exception handling that does not return error messages or details • Still allows timeouts to be detected • So some open ports can be detected • Closed ports return quickly

  29. Structured Testing • Web services are popular • So is testing their security • However, no structured framework exists • i.e. no OWASP (although some OWASP projects touch on web services) • Security testing must be structured to be useful

  30. Structured Testing Framework • Threat Modelling • Scoping • Test Planning • Test Execution • Reporting

  31. Testing Categories • Information Gathering • Fuzzing • Injection • Confidentiality & Integrity • Logging • Logic Flaws • Authentication & Authorisation • Availability

  32. Questions? ?

  33. RUXCON ‘06 Web Services Teaching a New Dog Old Tricks Colin Wong [colin.wong@sift.com.au]Daniel Grzelak [daniel.grzelak@sift.com.au]

More Related