35
The OWASP Foundation AppSec DC http://www.owasp.org Techniques in Attacking and Defending XML/Web Services Jason Macy CTO Forum Systems [email protected]
The OWASP Foundation
AppSec DC
http://www.owasp.org
Techniques in Attacking and Defending XML/Web Services
Jason Macy CTO Forum [email protected]
OWASP2
Agenda
1. Introduction to XML/Web Services Threats
2. Techniques for Defending XML Threats
3. XML Attack Examples and Classification• SQL Injection• Denial of Service• XSD Mutation
4. Review Attack Examples by:• Attack Definition: Scenario Setup• Attack Vectors: Building Penetration Tests• Post-Attack Analysis: XML Vulnerability Detection• Countermeasures: XML Gateway
OWASP
VectorsVectors
SOAP, XML, REST
Introduction to XML Threats
1..N source IP
SQL Injection
XSD Mutation
Virus
Malware
Identity Discovery
Denial of Service
Vectors
Explicit AttacksForced Disruption Bring Down or Limit Enterprise Service AvailabilityInformation Theft Gain Access to Enterprise ResourcesVendor Discovery Expose Known Traditional Attacks
Implicit VulnerabilityPerimeter Breach Embedded Virus, MalwareInfrastructure Malfunction Parser and Data Processing Failures
OWASP
New Attack Vectors
Protocol Firewalls are Blind to XML Malware and Virus delivered via SOAP Attachments WSDL Exposes Schema and Message Structure Injection Attacks Exposed VIA XML Parameters Data Replay Attacks
SOAP/XML SOAP/XML
Web Service
Client
OWASP5
Security Testing - Base Requirements
Security FrameworkSign, Encrypt, Decrypt, SSL
Identity FrameworkBasic Auth, SSL Auth, WS-Security Token Auth
Parameter InjectionDatabase or File DrivenPermutations for Security, Identity, and SOAP/XML
Concurrent Client Simultaneous LoadingDenial of Service Testing
SOAP with AttachmentsMalware and Virus testing
Dynamic XSD MutationDerive SOAP Vulnerability profile from WSDL Schema
OWASP6
XML Security Gateway - Base Requirements
Transaction Privacy• Encryption, Decryption, SSL
Transaction Integrity • Digital Signature, Signature Verification, Schema Validation
Transaction Accountability• Archiving, Logging, Reporting, and Monitoring
Transaction Threat Mitigation• Intrusion Detection and Prevention • Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition• Structural integrity, Protocol adherence, Authorization Attempts
Certified PKI Infrastructure (DOD PKI)• X509 Path Validation• Sign/Verify, SSL Initiation, SSL Termination
Certified Security Architecture (FIPS)• Key Management and Storage• Physical Device Security
OWASP7
XML Attack Examples and Classification
1. SQL Injection Attack• Classification: Injection, Data Excavation
2. Denial of Service Attack• Classification: Resource Depletion
3. XSD Mutation Attack• Classification: Data Structure Attacks, Resource Manipulation
CAPEC: Common Attack Pattern Enumeration and ClassificationNational Cyber Crime Division of DHS
http://capec.mitre.orghttp://nvd.nist.gov/
OWASP8
XML Web Services based
SQL Injection Attack
OWASP9
SQL InjectionUnsecured
How to AttackConstruct SQL Escape SequencesConstruct SQL 1=1 Query Inject into XML Node values
Discovered ExposureSensitive Data LossDatabase Corruption
MySQL
o PHPo NuSOAP
Apache
OWASP10
SQL Injection1. What is it?
• SQL injection is a technique that exploits a vulnerability that occurs in the database layer of an application.
• Application incorrectly filters for a string literal escape characters embedded in SQL statements.
2. Example: • Good: ‘select * from accounts where username="' . $username . '"' . 'AND
password="' . $password . ’";
• Evil: select * from accounts where username="" or 1=1 #"AND password="””;
3. Attack Vector:• Old: User input from a browser-based application
• New: XML Web Services – WSDL defined Interface
OWASP11
Component Details – MySQL Database
oTest MySQL Database o phpMyAdmin UIo Accounts Table Data
OWASP12
Component Details – PHP Application
1. Function: getAccounts()
2. Connect to Database
3. Construct SQL Query:Great Vulnerability Point
4. Execute Query
5. Parse Query Results
6. Register function as a Web Service
OWASP
SQL Injection over SOAP Message – Unsecured
13
• SQL Injection over XML/SOAP
• Full Table Returned in SOAP Response: 34 Records
• Pointed to Service Endpoint• Advertises use of PHP
OWASP14
SQL InjectionXML Gateway Secured
o Inbound Pattern Detectiono Prevent Outbound Leaks
XML GatewayClient
How to DefendDeploy XML Gateway Enable Pattern Scanning IDP RulesConfigure Response Message Size and Complexity Limits
AdvantagesPrevent Data LossAlert and Quarantine Attempted Breaches
MySQL
o PHPo NuSOAP
Apache
OWASP
SQL Injection over XML/SOAP – Sentry Protection Policy
15
o Pre-built Pattern Matching for SQL Injection Detectiono Extensible for Business Specific Requirements
OWASP
SQL Injection over SOAP Message – Secured
16
• SQL Injection over XML/SOAP
• SOAP Request Stopped by XML Gateway
• Pointed through XML Gateway• Endpoint Technology Obfuscated
OWASP17
XML Web Services based
Denial of Service Attack
OWASP18
Denial of ServiceUnsecured
Web Service
Client
How to AttackLoading Client with Concurrent Simultaneous ThreadsCoercive Parsing Attack
Discovered ExposureUnlimited message flowUnfair Service SLA distributionBack-end CPU and I/O Saturation
OWASP
Denial of Service – Unsecured
19
• Capable of ~700 TPS• No restrictions on Client
• Multiply Service running on IIS
OWASP20
Denial of ServiceXML Gateway Secured
o Enforce Transaction Rate
XML Gateway
Web Service
Client
How to DefendDeploy XML Gateway Set Allowed Transaction Rates (Group, User, or IP)
AdvantagesMessage Flow Limited to Specified RateService Throughput Fairly Distributed Back-end mitigated from CPU and I/O Saturation
OWASP
Denial of Service – Sentry Protection Rule
21
• 20 TPS Restriction Policy
• Granular Enforceability
• Configure Action• Custom Message
OWASP
Denial of Service – Sentry Protection Action
22
• Action: Abort Processing
• Additional Options: Throttle, Block• Stealth Mode to suppress data leaks via responses
• Prevent log flooding
•Quarantine Messages for further analysis
OWASP
Denial of Service – Secured
23
• Request: Multiply a x b sent through XML Gateway
• 20 TPS Restriction triggered• Client cannot invoke a DoS• ~ 680 TPS service capacity remains
OWASP 24
Echo Request: s= test All responses are successful well-formed XML Min 1.20 ms Max 3.50 ms Ave 1.60 ms
Echo Request: s= test All responses fail XML not well-formed Min 2.10 ms Max 5.0 ms Ave 2.73 ms
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/"><soap:Body>
<s0:Echo><s0:s>test</s0:s>
</s0:Echo></soap:Body>
</soap:Envelope>
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/"><soap:Body>
<s0:Echo><s0:s>test</s0:s>
</s0:Echo></soap:Body>
</soap:EnvelopeMissing “>”
> 70% Degradation by removing one character
Another Example: Denial of Service through Coercive Parsing
OWASP25
XML Web Services Based
XSD Mutation Attack
OWASP26
XSD Mutation AttackUnsecured
Client
How to AttackObtain WSDL Derive Message Structure and Types from WSDL SchemaSend SOAP Message Mutations based on Schema
Discovered ExposureCode Paths not Handled for ExceptionsStack Traces Returned with Implementation DetailsApplication Failure
Web Service
OWASP
XSD Mutation Attack – Lifecycle
27
Author Attack Vectors
Run Attack
AnalyzeResults
Add New DetectionLibraries
Vulnerability Report
OWASP
XSD Mutation: Building Attack Vectors
28
• Service Loaded from endpoint
• Mutant Messages generated based on WSDL – XSD• Data type, structure, size mutations
OWASP
XSD Mutation: Analyze Attack
29
• Test generated based on WSDL complexity
• Sample Data Value Mutation
• username contains string value mutation
• response reveals backend components and method calls
OWASP
XSD Mutation: Extend Detection Libraries
30
• Vulnerability Detection Libraries• Application/Platform Specific• Business Specific – SSN, Credit Card
• Look for nusoap.php• High Severity – Open source Parser
OWASP31
XSD Mutation AttackXML Gateway Secured
o Enforce Inbound Schema Validationo Prevent Outbound Data Leaks
XML GatewayClient
How to DefendDeploy XML Gateway Enforce Inbound Message Structure and Type ValidationCleanse Outbound Data (Stack Traces, Sensitive Data)
AdvantagesReduce Parser Impact on Web ServiceRemove Vendor and Implementation Details in ResponseProtect Application Layer Code Paths on Web Service
Web Service
OWASP
XSD Mutation – Sentry Protection Policy
32
• XML Gateway provides Policies to protect against XML specific attacks
OWASP
XSD Mutation – Secured
33
1. Deploy Specialized XML Gateways – Packet Firewalls and HTML Application Firewalls are insufficient
2. Validate XML against a robust schema
3. Tighten Schema: e.g., string string 2048
4. Enforce XML specific detection rules e.g., node depth, recursive payloads
OWASP34
Best Practices for Countermeasures
Information Control – Outbound Restrict SOAP Faults Protect Sensitive Information Audit Transaction Flows
Use Web Services Penetration Testing Product Out of the box Vulnerability Discovery Simplified Testing and Diagnostics of Service Endpoint Validation of Security Gateway Policies
Deploy XML Web Services Gateway Forum Systems Sentry XML Gateway Barracuda Radware AppXML
Deploy Centralized XML Security Enforce Policy Independent of Application Servers and OS Platforms Audit and Filter Sensitive Information Separate Security from Application Code
Information Control – Inbound Tighten Payloads Enforce SLA Disallow SQL, Virus, Malicious Code
OWASP35
Learn more @
www.forumsys.com
