Date post: | 10-Jun-2015 |
Category: |
Documents |
Upload: | ante-gulam |
View: | 1,000 times |
Download: | 1 times |
WCF security: patterns & practices
ante.gulam[at]ri-ing.net
Overview
• Intro [Service-Oriented Architecture, MS WCF]• Defining Web Service Threats• Overview of WCF Security Basics• Configuration - Starting Point and Ending Point • Bindings In Depth • Securing Transport Channel - Integrity and Auth.• Messages - What I Send is What You Get?• Few Code-Based WCF Security Best Practices• Outro [conclusion]
Intro• SOA in general (discovery, description, messaging)– UDDI XML Hierarchy– UDDI Discovery (automated scanning tools)– WSDL and XSD Descriptions– SOAP vs. REST XML Protocols
• SOA Security Issues (ASMX, WCF, Java ...)• WCF (Indigo/2006)- .NET Web Service Technology• Endpoints (Transport & Bindings)– ABC (Address/Binding/Contract)– HTTP, TCP, named pipes, MSMQ ...– MEX – Metadata Exchange
Defining Web Service Threats• Attractive target
• Open to the World (rare filtering access scheme)• Direct connection to core application• Direct connection to core data
• Discovering and Attacking Web Services• WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702
– WSScanner• Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
• WCF Test Harness – flexible tool for quick service tests• Common WApp vulns: SQL injection, session theft, XML DoS ...
• XML/SOAP Manipulation (abusing the protocol)– Eavesdropping Message Exchange– Message Protection Methods
• Configuration Data Injection (tampering .conf)• Local/UDDI XML Processing attack
Overview of WCF Security Basics• Logging and Auditing
• Debbuging and Attack Detection
• Authentication• Identify Clients
» Users, Services, Processes, Machines ...» MiTM Attack Mitigation
• Transport Security Mode (cert, NTLM, basic ...)• Message Security Mode (cert, token, username ...)
• Authorization• Role-based• Identity-based• Resource-based
• Confidentiality• Encryption of Traffic client WCF service
• Integrity
Configuration - Starting Point and Ending Point
• Web.config start-up• Web-config encryption• section.SectionInformation.ProtectSection
• <system.ServiceModel>• Services
» Defining Service Endpoints
• Bindings» Basic, WS, WSDual, NetTcp ... ...
• Behaviors» <throttling> and other custom behaviors
• <Credentials /> Stored in Config<credentials passwordFormat="Clear"> <user name="user1" password="pass1"/></credentials>
• Max Message Size ???? (avoid 2147483647)• Encrypting configuration files (CL tools, code-based...)
Bindings in Depth
• System.ServiceModel.Channels.Binding class• Binding types and Security Modes– WSHttpBinding b = new WSHttpBinding(); b.Security.Mode =
SecurityMode.?????:• Transport Security• Mixed-Mode Security• Message Security
• Considering Scenarios for the right Bindings• Clients accessing through the Internet (wshttp)• Legacy clients (http)• Intranet (netTCP)• Local Machine Clients (netNamedPipeBinding)• Disconnected queued calls support (netMsmqBinding)• bidirectional communication support (wsDualHttp)
• System-Provided bindings
– BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services)
– WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols.
– NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine.
– NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints.
• Custom Bindings– Meet Requirements of Your Service
Securing Transport Channel
• SSL tunneling on WS transport channel• Choosing secure binding or SSL transport??– More and more on security (end-to-end, part encrypt)– Performances on Message/Transport level– Combining Message and Transport security
• Custom Binding and Custom Validator• public override void Validate(string uname, string pass)• <bindingname="CustomBinding“>
<securityauthenticationMode="UserNameOverTransport“> </security>
Messages - What I Send is What You Get?
• Message integrity check• Ability to detect and manage invalid data• Imposition of complete transactions• Rollbacks
• [Service Behavior] attrib: Transaction Isolation - Serializable transaction– protection for consistent data
• Hash calculation on message: xml/json messages (HMAC, SHA1..)
• ETag (base64 encoding of the md5sum)• Distributed Transaction Controller
– Single Transaction building• ‘Global’ Rollback (whole call chain rollback)
– transactionFlow="true"
Few Code-Based WCF Security Best Practices
• using() and try/finally keywords in WCF ?• Why to Avoid Them???– IL almost identical– So, where is the problem!?!?
• During Disposal the Channel is NEVER closed!• Control the catch of Exceptions• Use a global exception handler to catch unhandled
exceptions• FaultContract
• FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);
• using()• IL_0000: newobj instance void
[System.Windows.Forms]System.Windows.Forms.Form::.ctor() IL_0005: stloc.0 .try { IL_0006: leave.s IL_0012 } // end .try finally { IL_0008: ldloc.0 IL_0009: brfalse.s IL_0011 IL_000b: ldloc.0 IL_000c: callvirt instance void [mscorlib]System.IDisposable::Dispose() IL_0011: endfinally } // end handler
• try/finally block• IL_0012: ldnull
IL_0013: stloc.1 .try { IL_0014: newobj instance void [System.Windows.Forms]System.Windows.Forms.Form::.ctor() IL_0019: stloc.1 IL_001a: leave.s IL_0026 } // end .try finally { IL_001c: ldloc.1 IL_001d: brfalse.s IL_0025 IL_001f: ldloc.1 IL_0020: callvirt instance void [System]System.ComponentModel.Component::Dispose() IL_0025: endfinally } // end handler
• CAS in WCF services– [assembly: AllowPartiallyTrustedCallers]– [PermissionSet(SecurityAction.Assert,Name =
"FullTrust")] – Calling out from the Restricted client Environment• Security breach – bypass direct connection
– PartialTrustClientBase<T> ??– GAC on the client side?• Proxy Assembly Installation
– Raw WCF Demands
• ChannelFactory class– Used in advanced scenarios– Creation of Multiple Channels for Communication• ChannelFactory<xx> myChannelFactory = new
ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel();
– channelFactory.Credentials (username/password)– Avoid Creation of ChannelFactory on each page
call (overhead)
• Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request– “ReplyTo” address
• https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner
Outro [conclusion]
• What have we remembered to make our WS more secure?– Best practice – combine technologies and techniques to get
security on higher level!!!• Combine Smart Coding with Good Configuration
• Test your WCF’s on various attack techniques• ServiceThrottlingBehavior class
– MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max)
• InstanceContextMode ServiceBehaviorAttribute PerCalls / Sessions
– MaxConcurrentSessions (default = 10) [Per-channel]• Stay in touch with Recent Security Discoveries Related to
Technologies you are using!• Platforms, OS services, dev technologies, transport/protocol
technologies, encryption algorithms etc.
thank you for your attentionquestions and comments
?