Owasp top ten for web services forum
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

OWASP Top Ten for Web Services Forum PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

OWASP Top Ten for Web Services Forum. Marco Morana OWASP Chapter Lead [email protected] Cincinnati Chapter August Meeting. Meeting Agenda. OWASP Video Presentation: Web Services OWASP Top Ten from Gunnar Peterson http://video.google.com/videoplay?docid=5680040858618100893

Download Presentation

OWASP Top Ten for Web Services Forum

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Owasp top ten for web services forum

OWASP Top Ten for Web Services Forum

Marco Morana

OWASP Chapter Lead

[email protected]

Cincinnati Chapter

August Meeting

Meeting agenda

Meeting Agenda

  • OWASP Video Presentation: Web Services OWASP Top Ten from Gunnar Peterson

    • http://video.google.com/videoplay?docid=5680040858618100893

  • Discussion Forum

    • Summary Of Top Ten For Web Services

    • Discussion Points: Q&A

    • OWASP References

Web services security

Web Services Security

  • The security of web services and distributed architecture represents challenges:

    • Security of the perimeter is not enough

    • Data segregation does not separate good from evil

    • Security goal cannot be limited to CIA attributes

    • Location independence: authenticate in one place and authorize in another place

    • Interoperability across systems and technologies

    • Consistent policy enforcement

    • Secure email vs. tiered architecture

    • Security of the delivery channel and the intermediaries

  • Design-time activity aimed at pointing out common security pitfalls and proper ways to implement security within design patterns

  • Originally a white paper – donated to OWASP by Security Compass

Web services owasp t1

Web Services OWASP T1

  • T1: Injection Attacks

    • Larger attack surface and new targets for injection flaws: SQL injection, LDAP and XPATH/XQUERY, XSLT, HTML, XML, OS command injection

    • Gateway to inject backend services allow for attacking backend services: mainframes, MQs, ESB, SAP

    • Decoupling between requester and provider gives the attacker more attack vector opportunities

    • Countermeasures

      • Input validation, encoding, sanitization , canonicalization

      • Validate at each trust boundary (gateway, backend)

Web services owasp t2

Web Services OWASP T2

  • T2: Malicious file execution

    • Web service processing can take un-trusted input to inject commands and control remote file/malware upload or remote execution system commands

    • XMLs parsers can be abused to upload malformed XMLs to cause denial or degradation of services

    • Countermeasures

      • Do not trust client supplied input, validate server side

      • Validate XML size and schema before processing

Web services owasp t3

Web Services OWASP T3

  • T3: Insecure Object Reference

    • Remote code execution via abuse of object references

    • Failure to check data references, URL parameters lead to remote root kit installation and compromise.

    • Some cases banking applications use ACC# as PK that can be misused for SQL injection if is not validated

    • Countermeasures

      • Use encryption and signatures to prevent tampering of SOAP messages, validate references on the server side

      • Beware of WS security: you might have SOAP message that uses WS security to sign the soap header but some IDE add a REST call in form of a GET that can be called without authorization: this need to be turned off.

Web services owasp t4

Web Services OWASP T4

  • T4: Information Leakage

    • Configuration information such as application type, WSDL readable to public, with XSD and XML the attacker knows the data and the values to attack, the UDDI (the registry) can leak information such as addressing routing structure or behavior

    • Countermeasures:

      • Remove WSDL files from web server

      • Disable the documentation protocols to prevent dynamic generation of WSDL

      • Capture exceptions that return minimal information to the users

Web services owasp t5

Web Services OWASP T5

  • T5: Broken Authentication And Weak Tokens

    • Token non protected as well as assertions, flaws allow to hijack user admin accounts, bypass authorizations and allow for reply attacks.

    • Claim based (SAML) access control vs. RBAC

    • Countermeasures

      • Authentication via password digest, SAML and Kerberos tickets ,X509 certificates, Username and password in plaintext

      • SSL and message payload encryption for transit protection

      • Unique message ID, data stamp and nonce with each request to prevent message replay

      • Digital signature to prevent tampering

Web services owasp t6

Web Services OWASP T6

  • T6: Insecure Crypto Usage

    • Not encrypting secrets-keys

    • Use of weak algorithms such as MD5 and RC3 and RC4

    • Hard-coding keys.

    • Misuse of XML encryption: signature tag with no signature value, homegrown encryption algorithms

    • Countermeasures:

      • Protect secrets

      • Use standard secure cryptographic algorithms

      • Do not hardcode secrets

      • Do not use homegrown encryption implementations/schemes

      • Test your crypto implementation

Web services owasp t7

Web Services OWASP T7

  • T7: Insecure communications

    • Not using SSL exposes authentication, sensitive and session data and sensitive info.

    • WS and SAML tokens can be sniffed in transit with no SSL that protects them

    • Timing and reply attacks

    • Countermeasures

      • Protect data in transit: SSL/IPsec

      • Protect XML documents/sections with XML encryption\Validate signatures properly (presence and who trusted it)

Web services owasp t8

Web Services OWASP T8

  • T8 fail to restrict access

    • Failing to restrict access to web service functions methods. WSDL broadcasts what the service call requires and expects in return. Some methods use MQ listeners with no authentication to call them.

    • The web service is a gateway is to the main frame with no authentication because the back end does not requires it (e.g. ping ESB/TIBCO)

    • Countermeasures

      • Server to server and trusted authentication across systems

      • Message level authentication (usr/pwd, kerberos, X509, SAML)

      • Application level auth (role-based authorization for methods)

Web services owasp t9 new

Web Services OWASP T9 (New)

  • T9 Broken XML

    • XML document binding based upon parameters encoded and parsed that can be injected

    • Failure to validate well formed XML and XSD can lead to DOS

    • Recursive XML (DTD based) can lead to DOS

    • CDATA element (not interpreted) can fail the parser

    • Countermeasures

      • Specify the XML size and schema via DTD for old SOAP (do not use DTD not allowed in current spec!) and XSD

      • Do not use old Xerces parser (prone to DOS)

      • Validate all input and encode output

Web services owasp t10 new

Web Services OWASP T10 (New)

  • T10 Identity Misuse

    • The identity is the basis for claims and assertions for routing decisions ( to pass to different back end services), business logic and access control

    • A malicious service provider can have access to different services used by Google (token sent back was valid for any Google service) and other identity providers.

    • Countermeasures

      • Protect the identity for misuse

      • Map identity to resources used for access control decisions

      • Enforce SAML SCOPE assertions

Discussion points q a

Discussion Points: Q & A

  • Do you use web services architectures (SOA, SaaS) in your organization?

    • Which processes/guidelines, tools do you for securing web services?

  • Which challenges you faced in deploying web services for your organization?

    • Integration with backend services: MQ/ESB

    • Trusted authentication: Kerberos-SSO, SAML

  • Can cloud computing and web services made secure?

    • Do WS-Security, SAML buy security?

Further owasp references

Further OWASP References

  • OWASP Guide to Building Secure Web Applications and Web Services (Development Guide)

    • http://www.owasp.org/index.php/Category:OWASP_Guide_Project

  • OWASP Web Services Portal

    • http://www.owasp.org/index.php/Web_Services

  • OWASP Web Services Security Project

    • http://www.owasp.org/index.php/Category:OWASP_Web_Services_Security_Project

    • OWASP Testing Guide: Testing For Web Services

      • http://www.owasp.org/index.php/Testing_for_Web_Services

  • Login