logging in or signing up OWASP AppSec2006Seattle Web Services Security Barbara Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 525 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Advanced Web Services Security & Hacking: Advanced Web Services Security andamp; Hacking Justin Derry, OWASP Brisbane Chapter Leader Practice Leader, b-sec Consulting jderry@b-sec.com +61 411 411 881 Presentation Agenda: Presentation Agenda Web Services andamp; Technology What is a Web Service Where are they commonly used andamp; why Are you Exposing yourself (Willingly/Unwillingly?) What’s happening right now. An Attackers Toolkit Known common attacks against XML XML Interceptor Toolkit Case Studies (XML Web Service andamp; WS-Security Web Service) Web Services Security WS-Security Web Services Appliances (What they can/can’t do) Common Mistakes and pitfalls What is a Web Service?: What is a Web Service? Many things could be called a Web Service. For this presentation we are talking about… 'A Web Service is a system designed to support interoperable communication from machine to machine over a network. It includes an interface described in a machine-processable format (WSDL), and is typically conveyed using HTTP with XML serialization.' www.w3.org/TR/ws-gloss XML Web Service Communication: XML Web Service Communication Typical Web Service Communication Packet Common Application Uses: Common Application Uses Public Web Applications AJAX (maps.google.com, mp3act.net) Application API’s Google, Yahoo, Ebay, Flickr, Amazon, IMDB, etc. Internet Payment Hubs (Most major banks use XML Web Services for Credit Card Processing, or similar XML Technology) Business B2B Communication Gateways Extends the business outside their internal network Communicate easily with third parties (trusted or un-trusted) Are you exposing yourself?: Are you exposing yourself? Vendor Applications In-house applications that share data with partners Developers writing a tool to solve a problem without business awareness New Technologies (AJAX, Web 2.0, Google) Maybe not called a Web Service but has similar characteristics to an XML Web Service Known Common Web Service Attacks: Known Common Web Service Attacks Parsing Exploits SAX/DOM Known Common Exploits on Vendor Frameworks Custom parsers that are poorly written XML Injection (Passed into XML Stream) XPath Injection Attacks XML Manipulation (i.e. CDATA Manipulation etc.) WSDL Discovery and Manipulation with schemas DoS attacks against Web Services Typical HTTP/S Style Header Injection attacks Common Application Attacks (SQL Injection etc.) Vulnerability Breakdown (Real-world): Vulnerability Breakdown (Real-world) source: b-sec Application Reviews 2005-2006 Increasing Attacks & Web Services: Increasing Attacks andamp; Web Services Increasing use of Web Service technology Vendors are using to rapidly deploy applications and services Research into exploits is increasing It’s a 'Cool andamp; New' technology we should use it 'Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer' (Gartner Group) XML Interceptor Toolkit (1.0): XML Interceptor Toolkit (1.0) Windows Forms .NET Toolkit (vb.net 2.0) Developed in Australia Currently in initial release for OWASP Seattle 06 Work in Progress – Do you want to get involved? Web Interceptor Features: Web Interceptor Features Currently in initial release for OWASP Seattle 06 Supports XML TCP Capture as Proxy (initial) Allows replay/manipulation of XML POST requests Easy interface to inject and force header changes Support for some automated attacks Saving and recording of attack history Perform most XML related attacks through the tool Includes basic security functions (Base64/MD5/SHA) Support for SSL to be available shortly (Oct/Nov) Support for HTTP/S Injection and Proxy tool as well (Oct/Nov) Web Interceptor – Demo & Download: Web Interceptor – Demo andamp; Download Demo initial features available in Release 1.0 of Interceptor Toolkit (XML Interception andamp; Replay) Download available at www.intratools.net/owasp Case Study (XML Web Service): Case Study (XML Web Service) Windows Forms .NET Client (Demo shows interface) Remotely deployed to Call Center/Support Connected over Public Internet to Application Basic XML Web Services used (.NET Framework without WS-* or additional controls) Exploiting a Web Service through XML: Exploiting a Web Service through XML Performing SQL Injection attacks using an XML message and the Interceptor Toolkit. How to use CDATA in XML Fields to pass Cross Site Scripting.. How we did it (Web Interceptor Example) Case Study Risks Identified: Case Study Risks Identified Assumed No Interface – No Attacks No Data Validation (most OWASP Top Ten Missing) Serious SQL Injection andamp; XSS Flaws Passed through XML to Web Interface XML Not encrypted (Replay/Data Interception) Returned Error Messages in XML Case Study (WS-Security Enabled Service): Case Study (WS-Security Enabled Service) Financial Institution (i.e. Bank) Transactional Gateway Solution for their clients Credit Card Processing/Account Processing Significant risks with exposing transactional data Implemented a WS-Security Gateway Case Study 2 (Where did it all go wrong!): Case Study 2 (Where did it all go wrong!) Assumed WS-Security Protects 100% Messages not sent over SSL (Sniffing/Replay) XML Gateway Appliance misconfigured Sensitive data was passed in clear text API Toolkit was basic and had no security Assumed XML Gateway was doing it’s job Assumed end user’s knew what they were doing What is WS-Security?: What is WS-Security? Provides a core standard framework and schema for XML messaging security Implements the following capabilities for XML Authentication Confidentiality Integrity WS-Security Messages: WS-Security Messages Implementing WS-Security Securely: Implementing WS-Security Securely Ensure you are using Standard 1.1 (latest) Implement an Authentication Token (either UsernameToken, BinaryToken, etc.) Provide a Digital Hash of the Message (integrity) Use Message encryption if passing sensitive data Implement SSL technology to ensure messages cannot be captured and replayed Use a WS-* Gateway to inspect and verify messages received prior to receiving them on the Web Service Endpoint Web Service Appliance/Gateways: Web Service Appliance/Gateways Market Space is Growing in size (Rapidly) Vendor solutions provides assistance to the problem and are not a complete solution Use all the features not just the simple things WS-Security Authentication Validation Schema Validation Search for known common exploits in strings (i.e. SQL Injection, XSS Attacks, etc.) Specify trusted hosts (IP Addresses or Agent Types) andamp; Restrict Other Standards XML (WS-*): Other Standards XML (WS-*) Oasis-Open Working groups releasing other standards for XML Web Services Common Mistakes: Common Mistakes Assumption that WS-Security solves everything Assumption (No Interface means no attacks – service is hidden) Belief in vendors without performing testing Supply insecure API to remote users Forget to disable WSDL publishing of service Web Service has minimal or no application security controls (i.e. OWASP Top Ten) OWASP Top Ten & Web Services: OWASP Top Ten andamp; Web Services (1) Data Validation = Validate Everything (2) Access Control = Implement Authentication (WS-Security) (3) Authentication/Session Management = Replay attacks in XML (4) Cross Site Scripting = (See – 1, Integration with applications) (5) Buffer Overflow = Watch for this, validate and address in code (6) Injection Flaws = Watch for this, validate and address in code (7) Error Handling = Don’t return detailed error messages (8) Insecure Storage = Watch for this, store appropriately (9) Denial of Service = Detect andamp; Alert, similar to web application (10) Insecure Configuration Management = Similar to web application (Avoid WSDL Publishing etc unless necessary) Summary: Summary Implement WS-Security (C,I,A) Implement OWASP Guidelines for Applications Identify andamp; Test Vendor Applications Don’t rely 100% on XML security gateways to provide all the security Disable WSDL Publishing if you don’t need it Questions?: Questions? Justin Derry Application Security Practice Leader B-sec Consulting Pty Ltd (Australia) +61 411 411 881 Email: jderry@b-sec.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
OWASP AppSec2006Seattle Web Services Security Barbara Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 525 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Advanced Web Services Security & Hacking: Advanced Web Services Security andamp; Hacking Justin Derry, OWASP Brisbane Chapter Leader Practice Leader, b-sec Consulting jderry@b-sec.com +61 411 411 881 Presentation Agenda: Presentation Agenda Web Services andamp; Technology What is a Web Service Where are they commonly used andamp; why Are you Exposing yourself (Willingly/Unwillingly?) What’s happening right now. An Attackers Toolkit Known common attacks against XML XML Interceptor Toolkit Case Studies (XML Web Service andamp; WS-Security Web Service) Web Services Security WS-Security Web Services Appliances (What they can/can’t do) Common Mistakes and pitfalls What is a Web Service?: What is a Web Service? Many things could be called a Web Service. For this presentation we are talking about… 'A Web Service is a system designed to support interoperable communication from machine to machine over a network. It includes an interface described in a machine-processable format (WSDL), and is typically conveyed using HTTP with XML serialization.' www.w3.org/TR/ws-gloss XML Web Service Communication: XML Web Service Communication Typical Web Service Communication Packet Common Application Uses: Common Application Uses Public Web Applications AJAX (maps.google.com, mp3act.net) Application API’s Google, Yahoo, Ebay, Flickr, Amazon, IMDB, etc. Internet Payment Hubs (Most major banks use XML Web Services for Credit Card Processing, or similar XML Technology) Business B2B Communication Gateways Extends the business outside their internal network Communicate easily with third parties (trusted or un-trusted) Are you exposing yourself?: Are you exposing yourself? Vendor Applications In-house applications that share data with partners Developers writing a tool to solve a problem without business awareness New Technologies (AJAX, Web 2.0, Google) Maybe not called a Web Service but has similar characteristics to an XML Web Service Known Common Web Service Attacks: Known Common Web Service Attacks Parsing Exploits SAX/DOM Known Common Exploits on Vendor Frameworks Custom parsers that are poorly written XML Injection (Passed into XML Stream) XPath Injection Attacks XML Manipulation (i.e. CDATA Manipulation etc.) WSDL Discovery and Manipulation with schemas DoS attacks against Web Services Typical HTTP/S Style Header Injection attacks Common Application Attacks (SQL Injection etc.) Vulnerability Breakdown (Real-world): Vulnerability Breakdown (Real-world) source: b-sec Application Reviews 2005-2006 Increasing Attacks & Web Services: Increasing Attacks andamp; Web Services Increasing use of Web Service technology Vendors are using to rapidly deploy applications and services Research into exploits is increasing It’s a 'Cool andamp; New' technology we should use it 'Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer' (Gartner Group) XML Interceptor Toolkit (1.0): XML Interceptor Toolkit (1.0) Windows Forms .NET Toolkit (vb.net 2.0) Developed in Australia Currently in initial release for OWASP Seattle 06 Work in Progress – Do you want to get involved? Web Interceptor Features: Web Interceptor Features Currently in initial release for OWASP Seattle 06 Supports XML TCP Capture as Proxy (initial) Allows replay/manipulation of XML POST requests Easy interface to inject and force header changes Support for some automated attacks Saving and recording of attack history Perform most XML related attacks through the tool Includes basic security functions (Base64/MD5/SHA) Support for SSL to be available shortly (Oct/Nov) Support for HTTP/S Injection and Proxy tool as well (Oct/Nov) Web Interceptor – Demo & Download: Web Interceptor – Demo andamp; Download Demo initial features available in Release 1.0 of Interceptor Toolkit (XML Interception andamp; Replay) Download available at www.intratools.net/owasp Case Study (XML Web Service): Case Study (XML Web Service) Windows Forms .NET Client (Demo shows interface) Remotely deployed to Call Center/Support Connected over Public Internet to Application Basic XML Web Services used (.NET Framework without WS-* or additional controls) Exploiting a Web Service through XML: Exploiting a Web Service through XML Performing SQL Injection attacks using an XML message and the Interceptor Toolkit. How to use CDATA in XML Fields to pass Cross Site Scripting.. How we did it (Web Interceptor Example) Case Study Risks Identified: Case Study Risks Identified Assumed No Interface – No Attacks No Data Validation (most OWASP Top Ten Missing) Serious SQL Injection andamp; XSS Flaws Passed through XML to Web Interface XML Not encrypted (Replay/Data Interception) Returned Error Messages in XML Case Study (WS-Security Enabled Service): Case Study (WS-Security Enabled Service) Financial Institution (i.e. Bank) Transactional Gateway Solution for their clients Credit Card Processing/Account Processing Significant risks with exposing transactional data Implemented a WS-Security Gateway Case Study 2 (Where did it all go wrong!): Case Study 2 (Where did it all go wrong!) Assumed WS-Security Protects 100% Messages not sent over SSL (Sniffing/Replay) XML Gateway Appliance misconfigured Sensitive data was passed in clear text API Toolkit was basic and had no security Assumed XML Gateway was doing it’s job Assumed end user’s knew what they were doing What is WS-Security?: What is WS-Security? Provides a core standard framework and schema for XML messaging security Implements the following capabilities for XML Authentication Confidentiality Integrity WS-Security Messages: WS-Security Messages Implementing WS-Security Securely: Implementing WS-Security Securely Ensure you are using Standard 1.1 (latest) Implement an Authentication Token (either UsernameToken, BinaryToken, etc.) Provide a Digital Hash of the Message (integrity) Use Message encryption if passing sensitive data Implement SSL technology to ensure messages cannot be captured and replayed Use a WS-* Gateway to inspect and verify messages received prior to receiving them on the Web Service Endpoint Web Service Appliance/Gateways: Web Service Appliance/Gateways Market Space is Growing in size (Rapidly) Vendor solutions provides assistance to the problem and are not a complete solution Use all the features not just the simple things WS-Security Authentication Validation Schema Validation Search for known common exploits in strings (i.e. SQL Injection, XSS Attacks, etc.) Specify trusted hosts (IP Addresses or Agent Types) andamp; Restrict Other Standards XML (WS-*): Other Standards XML (WS-*) Oasis-Open Working groups releasing other standards for XML Web Services Common Mistakes: Common Mistakes Assumption that WS-Security solves everything Assumption (No Interface means no attacks – service is hidden) Belief in vendors without performing testing Supply insecure API to remote users Forget to disable WSDL publishing of service Web Service has minimal or no application security controls (i.e. OWASP Top Ten) OWASP Top Ten & Web Services: OWASP Top Ten andamp; Web Services (1) Data Validation = Validate Everything (2) Access Control = Implement Authentication (WS-Security) (3) Authentication/Session Management = Replay attacks in XML (4) Cross Site Scripting = (See – 1, Integration with applications) (5) Buffer Overflow = Watch for this, validate and address in code (6) Injection Flaws = Watch for this, validate and address in code (7) Error Handling = Don’t return detailed error messages (8) Insecure Storage = Watch for this, store appropriately (9) Denial of Service = Detect andamp; Alert, similar to web application (10) Insecure Configuration Management = Similar to web application (Avoid WSDL Publishing etc unless necessary) Summary: Summary Implement WS-Security (C,I,A) Implement OWASP Guidelines for Applications Identify andamp; Test Vendor Applications Don’t rely 100% on XML security gateways to provide all the security Disable WSDL Publishing if you don’t need it Questions?: Questions? Justin Derry Application Security Practice Leader B-sec Consulting Pty Ltd (Australia) +61 411 411 881 Email: jderry@b-sec.com