Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published bySibyl Porter Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP AppSec Seattle Oct 2006 http://www.owasp.org/ Advanced Web Services Security & Hacking Justin Derry, OWASP Brisbane Chapter Leader Practice Leader, b-sec Consulting jderry@b-sec.com +61 411 411 881

2 OWASP AppSec Seattle 2006 2 Presentation Agenda  Web Services & Technology  What is a Web Service  Where are they commonly used & why  Are you Exposing yourself (Willingly/Unwillingly?)  What’s happening right now.  An Attackers Toolkit  Known common attacks against XML  XML Interceptor Toolkit  Case Studies (XML Web Service & WS-Security Web Service)  Web Services Security  WS-Security  Web Services Appliances (What they can/can’t do)  Common Mistakes and pitfalls

3 OWASP AppSec Seattle 2006 3 What is a Web Service?  Many things could be called a Web Service.  For this presentation we are talking about… “A Web Service is a system designed to support interoperable communication from machine to machine over a network. It includes an interface described in a machine-processable format (WSDL), and is typically conveyed using HTTP with XML serialization.” www.w3.org/TR/ws-gloss

4 OWASP AppSec Seattle 2006 4 XML Web Service Communication  Typical Web Service Communication Packet

5 OWASP AppSec Seattle 2006 5 Common Application Uses  Public Web Applications  AJAX (maps.google.com, mp3act.net)  Application API’s Google, Yahoo, Ebay, Flickr, Amazon, IMDB, etc.  Internet Payment Hubs (Most major banks use XML Web Services for Credit Card Processing, or similar XML Technology)  Business B2B Communication Gateways  Extends the business outside their internal network  Communicate easily with third parties (trusted or un- trusted)

6 OWASP AppSec Seattle 2006 6 Are you exposing yourself?  Vendor Applications  In-house applications that share data with partners  Developers writing a tool to solve a problem without business awareness  New Technologies (AJAX, Web 2.0, Google)  Maybe not called a Web Service but has similar characteristics to an XML Web Service

7 OWASP AppSec Seattle 2006 7 Known Common Web Service Attacks  Parsing Exploits  SAX/DOM Known Common Exploits on Vendor Frameworks  Custom parsers that are poorly written  XML Injection (Passed into XML Stream)  XPath Injection Attacks  XML Manipulation (i.e. CDATA Manipulation etc.)  WSDL Discovery and Manipulation with schemas  DoS attacks against Web Services  Typical HTTP/S Style Header Injection attacks  Common Application Attacks (SQL Injection etc.)

8 OWASP AppSec Seattle 2006 8 Vulnerability Breakdown (Real-world) source: b-sec Application Reviews 2005-2006

9 OWASP AppSec Seattle 2006 9 Increasing Attacks & Web Services  Increasing use of Web Service technology  Vendors are using to rapidly deploy applications and services  Research into exploits is increasing  It’s a “Cool & New” technology we should use it “Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer” (Gartner Group)

10 OWASP AppSec Seattle 2006 10 XML Interceptor Toolkit (1.0)  Windows Forms.NET Toolkit (vb.net 2.0)  Developed in Australia  Currently in initial release for OWASP Seattle 06  Work in Progress – Do you want to get involved?

11 OWASP AppSec Seattle 2006 11 Web Interceptor Features  Currently in initial release for OWASP Seattle 06  Supports XML TCP Capture as Proxy (initial)  Allows replay/manipulation of XML POST requests  Easy interface to inject and force header changes  Support for some automated attacks  Saving and recording of attack history  Perform most XML related attacks through the tool  Includes basic security functions (Base64/MD5/SHA)  Support for SSL to be available shortly (Oct/Nov)  Support for HTTP/S Injection and Proxy tool as well (Oct/Nov)

12 OWASP AppSec Seattle 2006 12 Web Interceptor – Demo & Download  Demo initial features available in Release 1.0 of Interceptor Toolkit (XML Interception & Replay)  Download available at www.intratools.net/owasp www.intratools.net/owasp

13 OWASP AppSec Seattle 2006 13 Case Study (XML Web Service)  Windows Forms.NET Client (Demo shows interface)  Remotely deployed to Call Center/Support  Connected over Public Internet to Application  Basic XML Web Services used (.NET Framework without WS-* or additional controls)

14 OWASP AppSec Seattle 2006 14 Exploiting a Web Service through XML  Performing SQL Injection attacks using an XML message and the Interceptor Toolkit.  How to use CDATA in XML Fields to pass Cross Site Scripting..  How we did it (Web Interceptor Example)

15 OWASP AppSec Seattle 2006 15 Case Study Risks Identified  Assumed No Interface – No Attacks  No Data Validation (most OWASP Top Ten Missing)  Serious SQL Injection & XSS Flaws  Passed through XML to Web Interface  XML Not encrypted (Replay/Data Interception)  Returned Error Messages in XML

16 OWASP AppSec Seattle 2006 16 Case Study (WS-Security Enabled Service)  Financial Institution (i.e. Bank)  Transactional Gateway Solution for their clients  Credit Card Processing/Account Processing  Significant risks with exposing transactional data  Implemented a WS-Security Gateway

17 OWASP AppSec Seattle 2006 17 Case Study 2 (Where did it all go wrong!)  Assumed WS-Security Protects 100%  Messages not sent over SSL (Sniffing/Replay)  XML Gateway Appliance misconfigured  Sensitive data was passed in clear text  API Toolkit was basic and had no security  Assumed XML Gateway was doing it’s job  Assumed end user’s knew what they were doing

18 OWASP AppSec Seattle 2006 18 What is WS-Security?  Provides a core standard framework and schema for XML messaging security  Implements the following capabilities for XML  Authentication  Confidentiality  Integrity

19 OWASP AppSec Seattle 2006 19 WS-Security Messages

20 OWASP AppSec Seattle 2006 20 Implementing WS-Security Securely  Ensure you are using Standard 1.1 (latest)  Implement an Authentication Token (either UsernameToken, BinaryToken, etc.)  Provide a Digital Hash of the Message (integrity)  Use Message encryption if passing sensitive data  Implement SSL technology to ensure messages cannot be captured and replayed  Use a WS-* Gateway to inspect and verify messages received prior to receiving them on the Web Service Endpoint

21 OWASP AppSec Seattle 2006 21 Web Service Appliance/Gateways  Market Space is Growing in size (Rapidly)  Vendor solutions provides assistance to the problem and are not a complete solution  Use all the features not just the simple things  WS-Security Authentication Validation  Schema Validation  Search for known common exploits in strings (i.e. SQL Injection, XSS Attacks, etc.)  Specify trusted hosts (IP Addresses or Agent Types) & Restrict

22 OWASP AppSec Seattle 2006 22 Other Standards XML (WS-*)  Oasis-Open Working groups releasing other standards for XML Web Services

23 OWASP AppSec Seattle 2006 23 Common Mistakes  Assumption that WS-Security solves everything  Assumption (No Interface means no attacks – service is hidden)  Belief in vendors without performing testing  Supply insecure API to remote users  Forget to disable WSDL publishing of service  Web Service has minimal or no application security controls (i.e. OWASP Top Ten)

24 OWASP AppSec Seattle 2006 24 OWASP Top Ten & Web Services  (1) Data Validation = Validate Everything  (2) Access Control = Implement Authentication (WS-Security)  (3) Authentication/Session Management = Replay attacks in XML  (4) Cross Site Scripting = (See – 1, Integration with applications)  (5) Buffer Overflow = Watch for this, validate and address in code  (6) Injection Flaws = Watch for this, validate and address in code  (7) Error Handling = Don’t return detailed error messages  (8) Insecure Storage = Watch for this, store appropriately  (9) Denial of Service = Detect & Alert, similar to web application  (10) Insecure Configuration Management = Similar to web application (Avoid WSDL Publishing etc unless necessary)

25 OWASP AppSec Seattle 2006 25 Summary  Implement WS-Security (C,I,A)  Implement OWASP Guidelines for Applications  Identify & Test Vendor Applications  Don’t rely 100% on XML security gateways to provide all the security  Disable WSDL Publishing if you don’t need it

26 OWASP AppSec Seattle 2006 26 Questions? Justin Derry Application Security Practice Leader B-sec Consulting Pty Ltd (Australia) +61 411 411 881 Email: jderry@b-sec.com

Download ppt "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Webgoat.

Webgoat.
Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall

Barracuda Web Application Firewall
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

Similar presentations

Ads by Google