1 / 67

Web Services Security

Web Services Security. Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com. Agenda. Web Services Threat Profile Top Ten Attacks Defending Against the Top Ten Attacks Conclusions. Web Services Opportunities & Risks.

lynette
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com

  2. Agenda • Web Services Threat Profile • Top Ten Attacks • Defending Against the Top Ten Attacks • Conclusions

  3. Web Services Opportunities & Risks • Multiple data sources provide many alternatives and opportunities for business. • How do we ensure that the data sources are legitimate? • Real-time transactions can be submitted just-in-time. • How do we validate the data prior to its use? • Contextual data makes integration easy. • Who else may intercept the data? • Directories allow for dynamic lookups and immediate gratification. • How do we validate the directories?

  4. Web Services: Bane or Panacea? From monolithic mainframe, to two- and three-tier client server, to n-tier Web. Now, we have n-peer Web Services • Standardization: common communication protocols • Easier to learn technology, higher likelihood of finding a target. • Loose-coupling: flexible architecture • More uniquely addressable attack points. • Federation: working together • More ways to “hide” amidst legitimate traffic. Increased functionality brings increased risk, but it may be worth it.

  5. Web Services Components • XML/SOAP Communication protocols. • Configuration Data (the setup) • XML Processors • Legacy Apps • External Entities

  6. XML/SOAP Protocols • Protocol Abuse • XML Information as: • Protocol / Tags • Expected operations • RPC / Command (embedded code) • And variables, flags, attributes • Data/transaction • URIs - pointers

  7. Web Services Configuration Data • Web Services Description Language (WSDL) Files • XML Schemas • XSLT Files • WS-Policy information

  8. XML Processor • Standard operations • Parse XML • Aggregate data • Transform data • Canonicalize data • All Legitimate manipulation of data after the source. • Legacy bolt-ons • Untrusted entities

  9. External Entities Local/UDDI Format/C14N Schema WSDL WS-Policy XSLT XML Route/Switch XML Processor Applications .Net/J2EE Protocol Conversations Legacy Apps Program Instructions Parse, Evaluate, Transform Web Services Consumer Methods and Bindings Repositories Transactions XML-DB File Systems RDBMS XML Documents Web Services Threat Profile

  10. Data Protection Goals • Confidentiality – protect data from being seen by inappropriate people/entities. • Integrity – protect data from being modified inappropriately. • Authenticity – ensure the data and its source are legitimate. • Availability – ensure the data is accessible by appropriate entities.

  11. Basic Confidentiality Encryption: • Encrypt data with symmetric key • Securely transfer key to recipient (e.g. encrypt symmetric key with recipient’s public key) Decryption: • Securely receive key (e.g. decrypt symmetric key with recipient’s private key) • Decrypt data with symmetric key

  12. XML Encryption • Candidate Recommendation • How to represent encrypted data within XML • Separate encrypted data from encryption information • Super-encryption • http://www.w3.org/Encryption/2001/

  13. XML Encryption Elements • <EncryptedData> container element • <EncryptionMethod> element: describes the encryption algorithm. • <KeyInfo> element: defined in XML-DSIG • <CipherData> envelopes or references raw encrypted data • <CipherValue> raw data if enveloped • <CipherReference> reference data if detached

  14. XML Encryption Encryption: • Use <EncryptionMethod> to create <CipherValue> described by <CipherData> elements. • Securely transfer key to recipient using <KeyInfo> or out of band method. Decryption: • Retrieve key using <KeyInfo>. • Take <CipherValue> and identify <EncryptionMethod> to decrypt data.

  15. XML Encryption Scenarios • Encrypt XML Element • Encrypt Element and Content • Encrypt XML Content (Character Data) • Encrypt Arbitrary Data and XML Documents • Super-encryption

  16. XML Encryption - Example Unencrypted Data <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> 1 2 3 4 5 6 7 8 9 Source: XML Syntax and Processing http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/

  17. XML Encryption - Example Encrypting an XML Element (<CreditCard>) <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </PaymentInfo> 1 2 3 9 Source: XML Syntax and Processing http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/

  18. XML Encryption - Example Encrypting XML Elements and Content (<number>; <issuer>; <expiration>) <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </CreditCard> </PaymentInfo> 1 2 3 4 8 9 Source: XML Syntax and Processing http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/

  19. Encrypting XML Content (number itself) XML Encryption - Example 1 2 3 4 5 <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> 5 6 7 8 9 Source: XML Syntax and Processing http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/

  20. XML Encryption - Example Encrypt Everything 1 <?xml version='1.0'?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' MimeType='text/xml'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> Source: XML Syntax and Processing http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/

  21. XML Encryption Roundup • The goal is confidentiality (privacy). • The key is the key – key management. • Must be able to retain keys over time. • Must be able to protect the keys. • Must keep the key and the cipherdata separate.

  22. Integrity & Authenticity Sign: • Process data through one way hash • Sign hash with source private key • Transmit data Validate: • Validate signature with source public key • Re-hash data and compare

  23. XML Signature • RFC 3275, March 2002 • Works with any data object • Sign data in same XML document • Enveloped signatures (signature is child) • Enveloping signatures (signature is parent) • Sign data that is external to signature

  24. <Signature> </ Signature> <SignedInfo> </SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference> </Reference> <Transforms> <DigestMethod> <DigestValue> <SignatureValue /> <KeyInfo /> XML Signature Container Format Data Signature Algorithm Hash Algorithm Hash Value Signed Hash Info Key Information

  25. XML Signature Elements • <Signature> element: Root • <SignedInfo> element: Container for signature information. • <C14NMethod> element: Algorithm used to format data prior to signing. [XML-C14N] • <SignatureMethod> element: Algorithm used to sign the hash (DSA-SHA1; RSA-SHA1)

  26. XML Signature Elements (cont’d) • <Reference> container for signatures. • <Transforms> describes processing requirements prior to sign/validate. • <DigestMethod> algorithm used to create hash. • <DigestValue> the hash itself • <SignatureValue> the operational results of signing the hash. • <KeyInfo> information on how to retrieve the validation key.

  27. XML Signature Sign: • Canonicalize data (<CanonicalizationMethod>) • Process data through one way hash (<DigestMethod>; <DigestValue>) • Sign hash with source private key (<SignatureMethod>; <SignatureValue>) • Transmit data Validate: • Validate signature with source public key • Re-hash data and compare

  28. Manifests • “Once-removed” signature. Validate the signed signatures. • Useful for performance considerations. • Provides selective validation. • Gotcha: individual signature validation must then occur within the application. • Individual signatures are not validated by xml signature.

  29. XML Signature Roundup • Always include dynamic information in signed data. • Protect against replay attacks. • Retrieve key info out-of-band. • Validate all algorithm sources.

  30. Transaction Attack Methods

  31. Sniff Modify Spoof Replay Transaction Security

  32. Authentication & Access Control On the user side: • Authentication validates the identity of the credential owner. • Access control maps an entity to its corresponding attributes (e.g. roles, group membership, etc.) On the resource side: • Describes under what conditions an entity is allowed to access a particular resource. • e.g. user name, group membership, time of day, etc.

  33. Security Assertion Markup Language (SAML) • OASIS Committee Specification • Assertions about authentication • Assertions about attributes • Assertions about authorization decisions • http://www.oasis-open.org/committees/security/

  34. SAML

  35. SAML Bindings and Profiles Binding • SOAP over HTTP Profiles • Browser/Artifact Profile (URL Query) • Browser/POST Profile (Form) • Replaces cookies

  36. SAML Roundup • Web Services Implementation • Session-based Protocol • Basic usage model: Single Sign-on • Useful for existing web and legacy apps

  37. XML Access Control Markup Language (XACML) • Rule • Target, Effect, Condition • Policy Statement • Multi-rule, Target, Obligations • Policy Set Statement • Multi-policy, Target, Obligations

  38. XACML • PAP – Policy Administration Point • PRP – Policy Retrieval Point • PEP – Policy Enforcement Point • PDP – Policy Decision Point • PIP – Policy Information Point

  39. XACML Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Retrieval Point (PRP) Policy Information Point (PRP) Policy Administration Point (PAP)

  40. XACML • PAP – PRP: define policy. (admin action) • PEP – PDP: initial request and final decision. • PDP: Reconciles SAML assertions and XACML policy info. (next-gen firewalls?) • Takes request from PEP, policy from PRP, and attributes from PIP.

  41. XACML Roundup • Not ready for primetime, but… • Vendors have always had this capability in native apps. • Will standardize ACL models. • Can (potentially) replace native models. • Great for interchange of rules/policies.

  42. SAML - XACML SAML Assertions XACML

  43. Security “Specifications” WS- Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy WS-Security SOAP Foundation

  44. WS-Security • Message Integrity • Message Confidentiality • Message Authentication • Associated Security Tokens • Encoded Binary Security Tokens

  45. Follow-on Specs • WS-Policy: How senders and receivers specify capabilities and requirements. • WS-Trust: Establish direct and brokered trust. • WS-Privacy: State privacy policies and adhere to them. • WS-Secure Conversation: How to establish keys. • WS-Federation: How to link trust models. • WS-Authorization: How access policies are specified and managed.

  46. Agenda • Web Services Threat Profile • Top Ten Attacks • Note: These are primarily THEORETICAL attacks! • Defending Against the Top Ten Attacks • Conclusions

  47. 1. XML Encapsulation • Attacks legacy bolt-on XML processors. • External operation of normally local functions. • Uses “CDATA” feature in XML to “tunnel” through to app.

  48. XML Encapsulation Example <?xml version="1.0"?><?xml-stylesheet type="text/xsl" href="#?m$ux" ?><xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl"><xsl:script><![CDATA[x=new ActiveXObject("WScript.Shell");x.Run("%systemroot%\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a /p /s");]]></xsl:script><msux>msuxwritten by georgi guninski</msux></xsl:stylesheet> Source: http://www.guninski.com/ex$el2.html

  49. 2. Coercive Parsing • Attacks legacy bolt-on XML processors. • Attacks old targets in new ways. • External operation of normally local functions. • Instead of using CDATA, uses XML parsing capability.

  50. 3. Recursive Elements • Use XML within a document to reference another point in the document. • Infinite loop

More Related