Layer 7 Technologies: Web Services Hacking And Hardening
•
8 likes•2,940 views
Adam Vincent, Layer 7 Federal Technical Director looks at concepts and tools used for Web services security
![Presenter Bio and Honorable Mention ,[object Object],© Adam Vincent - Layer 7 Technologies Some of the concepts portrayed in this presentation were based on the book “Hacking Web Services” by Shreeraj Shah. This is the first book of its kind in my opinion and portrayed the topic of Web Services Hacking in a concise and correct fashion.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (20)
Similar to Layer 7 Technologies: Web Services Hacking And Hardening
Similar to Layer 7 Technologies: Web Services Hacking And Hardening (20)
More from CA API Management
More from CA API Management (20)
Recently uploaded
Recently uploaded (20)
Layer 7 Technologies: Web Services Hacking And Hardening
- 1. Web Services Hacking and Hardening Adam Vincent, CTO – Public Sector Layer 7 Technologies October 15, 2008
- 5. Web Services Stack © Adam Vincent - Layer 7 Technologies Presentation Layer XML, AJAX, Portal, Other Security Layer WS-Security Discovery Layer UDDI, WSDL Access Layer SOAP, REST Transport HTTP, HTTPS, JMS, Other
- 6. Web Service Provider or Server-Side © Adam Vincent - Layer 7 Technologies Web Application Server Web Server (HTTP/HTTPS) Plug-In Internal/External Resource SOAP
- 7. Web Services Consumer or Client-Side © Adam Vincent - Layer 7 Technologies Application Web Service Consumer Design-Time Web Service Provider #1 Web Service Provider #2 WSDL WSDL Web Service Consumer Application Web Service Consumer Run-Time Web Service Provider #1 Web Service Provider #2 Web Service Consumer HTTP(S) HTTP(S) SOAP SOAP
- 8. Common Web Services Usage © Adam Vincent - Layer 7 Technologies Portal Server Web Service Provider #1 Web Service Provider #2 SQL DB Mainframe Application Browser Client Browser Client HTTP Get/Post SOAP ODBC Unknown Web Service Consumer SOAP
- 9. Web Service Threats © Adam Vincent - Layer 7 Technologies Transport Parsing Deployment Service Code
- 20. Step 1: Learning, Examining a Web Service © Adam Vincent - Layer 7 Technologies Three operations available: withdrawl, deposit, and get_balance Where the service resides
- 21. Step 1: Learning, Examining a Web Service (cont) © Adam Vincent - Layer 7 Technologies Operation parameters for withdrawl operation
- 22. Step 1: Learning (Attempting to Obtain Errors) © Adam Vincent - Layer 7 Technologies
- 23. Step 1: Learning (Attempting to Obtain Errors) © Adam Vincent - Layer 7 Technologies Bank Service Hello Bank Service You must use me like this! Bank Service Ok…Hello Bank Service You must use me like this! You would continue this process while looking for areas to exploit, there are automated tools that do this for you
- 26. Step 3: Launch the Attack © Adam Vincent - Layer 7 Technologies Bank Service Withdrawl $1,000,000 from some account, and put in your account Withdrawl/deposit Accomplished Launch XDOS (exploit XDOS vulnerability) Security Not Working Bank Service XML Fuzzer 100% CPU
- 27. Step 4: Clean Up After Yourself © Adam Vincent - Layer 7 Technologies 1.) Go to the Bank 2.) Leave the Country…Fast A real hacker would be able to do some things to cover their tracks. This is what I would do!
- 28. Web Services Hardening © Adam Vincent - Layer 7 Technologies Transport Parsing Deployment Service Code Confidentiality, Integrity Enforcement XML Structure Threat Detection Secure Deployment Input Validation, Virus Detection, Access Control
- 30. XML Structure Threat Detection © Adam Vincent - Layer 7 Technologies Message Size < 1MB Yes No Element Nesting < 10 Levels Error, Audit Yes No Error, Audit Attribute Size, Element Size < 1000 No Yes Error Virus
Editor's Notes
- Presentation Layer: The presentation layer provides meaning to Web Services in many different ways. This meaning can be portrayed to an APPLICATION as an XML message/document. It can be presented to a human being in the form of a rich internet application (AJAX, Portal) or though many other presentation technologies available. The bottom line is that Web Services are designed for machine to machine communication but human interfaces are being used and as such you must understand these ramifications. Security Layer: Web Services Security is an important part of the web services stack although web service security is only a single component of enabling adequate web services security. Essentially WS Security provides security to information portrayed within the XML data structure Discovery: UDDI is a currently accepted method to publish and find web services. WSDL contains information about web services (Location, Description) and is commonly referred to within a UDDI. Access Layer: Common structure for accessing web services. (Described within WSDL, and universally accepted) Transport Layer: Common web transports relied on by web services (HTTP/HTTPS and JMS are described within WSDL although no one standard exists for JMS).
- The diagram above depicts the Server Side architecture generally found in a Web Services Provider. The incoming transactions in this case are SOAP over some transport protocol. Its important to mention that the application server can have plug-ins where these plug-ins communicate with one or more internal or external resources. These resources can be Web Services and result in the plug-in being a consumer or the resource can be a SQL data source, or some non-web service oriented information repository.
- Design-time and Run-time are differentiated by the requirement of finding services. In a design time operation an application developer will find the services that she was like to use through UDDI or some other mechanism. Once found the developer will consume the WSDL for the service to create a binding between their developed application and the web service. Run-time operations will commence and be entirely based on SOAP. In some cases clients will still interact with UDDI/WSDL to verify some information about the service. For example the UDDI/WSDL could be queried to determine if the service location has changed. Run-time hacking is where this presentation will primarily focus although development time resources like UDDI and WSDL will be necessary tools of the trade.
- One common way of leveraging services is through a portal interface. The portal is responsible for creating the human presentation layer for a Service Oriented Architecture or one or more web services. Humans interact with the Portal Server using a browser client and the portal interacts with Web Services on their behalf. In some cases the web services interact further with back-end resources.
- I’ve broken down web service threats into the following 4 basic bins for better understanding. The bins are basically based on the threat framework proposed by Shreeraj Shaw in the book titled “Hacking Web Services”. Transport: Transport layer threats involve the confidentiality and integrity of the data as well as concerns associated with erroneous routing and replay attacks. Denial of service is always an issue at the transport layer is no different when using web services. Parsing: Essentially this layer of threats is based on the idea of overwhelming the underlying XML parser. This is by far the easiest form of attack on XML application and has resulted in security vendors offering XDOS offerings to their products. Question: have you even opened a large recursive XML document in IE. If so you know that it essentially brings your machine to a stand still. Deployment: This is a really interesting area as it is greatly misunderstood. Web Services and their respective type of technology do many things automatically and are unknown to the application develop. For example many application servers will automatically return verbose error messages to clients as well as host WSDL documents describing their corresponding services for everyone to see. Openly available service descriptions, verbose error messages (potentially from the backend itself) and automated deployment are responsible for a majority of the threats associated with Web Services.