330 likes | 556 Vues
RUXCON ‘06. Web Services. Teaching a New Dog Old Tricks. Daniel Grzelak / Colin Wong. About Us. SIFT Independent information security services http://ww.sift.com.au/ Daniel Grzelak Technical analyst daniel.grzelak@sift.com.au Colin Wong Found him outside colin.wong@sift.com.au.
E N D
RUXCON ‘06 Web Services Teaching a New Dog Old Tricks Daniel Grzelak / Colin Wong
About Us • SIFT • Independent information security services • http://ww.sift.com.au/ • Daniel Grzelak • Technical analyst • daniel.grzelak@sift.com.au • Colin Wong • Found him outside • colin.wong@sift.com.au
Outline • Web services basics • The past, the present, the future • Client testing • Web method enumeration • XML port scanning • Structured testing framework
Web Services Essentials • XML-based remote procedure call • Simple Object Access Protocol (SOAP) • Web Services Description Language (WSDL) • Multiple transport bindings • HTTP, SMTP, FTP etc. • Interoperable, heterogeneous, magical! “Oh yeah, aight. Aight, I put on my robe and wizard hat.“
Why Test Web Services? • High enterprise take-up in high value projects • Authentication services • Supply chain integration (B2B) • Exposing legacy systems • External APIs • Transactions and critical business functions • Web services will become increasingly widespread
New Dog, Old Tricks • Web services share vulnerabilities with traditional distributed technologies • Lots of the same attacks apply but with better structure (XML) • Web services platforms make it “too easy” • Code web services as a traditional object • Platform automagically turns it into a service • Minimal (if any) security
Client Testing • Web services security testing tends to focus on the web service itself • Clients are most often custom made • These can also be vulnerable • Clients are where the users are at • Users are the weakest link • Own the client and you can attack the users
Old Client Tricks • Similar to JavaScript attacks in web apps • Target the browser not the server • Large client/server software houses have learnt to look at the client • Internet Explorer • Real Player • Web services clients get overlooked
Client Attacks • Evil twin • DNS hacking • ARP poisoning • Hard to execute blind, possession of the client helps • Testing • Consume WSDL and become the web service • Once client talks to cloned web service, fuzz outputs and analyse client app response • Thorough logging must exist
Web Method Enumeration • WSDL may not describe all allowed operations • Can be manually modified • Programmers love hidden backdoors • We would like to be able to find the secrets • Hidden administration interfaces or functions • Test or debug functions • Anything else we’re not supposed to get to
Web Method Search • Perform a dictionary attack on web method names in a web service • Typically in the form of <verb><noun> • GetToken • AuthenticateUser • SetPassword • CreateAccount • Create or use ready-made verb and noun lists
Calling Web Methods POST http://target.com/ HTTP/1.1 SOAPAction: http://target.com/webMethodName Content-Type: text/xml <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <webMethodName xmlns="tns">a</webMethodName> </soap:Body> </soap:Envelope>
Analyse Responses • Test with each verb/noun combination • Analyse response of the web service • Can determine if the tested method exists • Combination exists • Successful call • Missing or incorrect parameter errors • Illegal argument or null reference errors • Combination does not exist • Operation not defined errors • No such operation or method • Bad SOAP action
Web Method Searching (For Bugs?) No such operation 'get' at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:179) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at coldfusion.xml.rpc.CFCProvider.invoke(CFCProvider.java:54) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at ... coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Web Method Searching (For Bugs?) • DirectoryException: cannot automatically create subdirectory http: at • <result xsi:type="xsd:string">null not in database (yet)</result> • <b>/home/sites/site66/web/_webservices/includes/nusoap/nusoap.php</b> on line <b>3778</b><br /> <br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/sites/site66/web/_webservices/metasearch/index.php:96) • <faultstring>Access violation at address 05605B9C in module 'testckver.tss'. Read of address 0000000C</faultstring • SQL syntax errors
Web Method Search Tool • Automated execution of dictionary attack with supplied wordlists • Analysis of responses against configurable response elements • Results may match multiple matters • Supports multiple weightings
Web Method Search Tool • Demonstration • http://www.sift.com.au/73/0/tools.htm
Workarounds and Mitigating Strategies • Security through obscurity does not work • Do not keep web methods secret because they will not remain secret • Input Validation
XML Port Scanning • Everyone loves XML • Has become the standard for information exchange • Ubiquitous support by all vendors and platforms • Firewalls block most traffic at the perimeter • Except maybe 80 and 443 • Can we get behind the firewall to scan? • Maybe if we ask nicely
Document Type Definition • Allows you to define the valid elements of an XML document • Can dynamically build a DTD using references to external DTD definitions • Can define external entities that can be used within the XML document
XML Parser Abuse • Abuse the ability for XML parsers to dereference external sources • Use DTD elements to get the parser to initiate connections on our behalf • The following will cause the parser to attempt a connection to TCP port 22 on 192.168.1.1 <!DOCTYPE scan [<!ENTITY test SYSTEM "http://192.168.1.1:22/">]> <scan>&test;</scan>
Analyse Responses • We can infer the result of the attempted connection from the XML parser response • Closed ports result in a connection refused error • Open ports that respond to a HTTP request result in other errors or no error at all • Filtered ports, no such target or open ports that do not respond to a HTTP request result in a timeout • Can only scan one port per XML document • Cycle through all target ports and systems
Applicability • This attack can be launched against XML endpoints • Cannot be used directly against SOAP • SOAP explicitly disallows DTD • Potential targets • AJAX APIs • XML document inputs • Encoded XML within SOAP parameters
Impacts • Port scanning of systems in your DMZ • Effectively transports the scanning to the parser • You can see whatever the XML parser can see • Firewalls won’t help you • XML is valid traffic • SSL protects attack traffic
XML Port Scanning • Demonstration
Workarounds and Mitigating Strategies • Disable external entity elements • Or define allowed external elements • Prohibit DTDs • Exception handling that does not return error messages or details • Still allows timeouts to be detected • So some open ports can be detected • Closed ports return quickly
Structured Testing • Web services are popular • So is testing their security • However, no structured framework exists • i.e. no OWASP (although some OWASP projects touch on web services) • Security testing must be structured to be useful
Structured Testing Framework • Threat Modelling • Scoping • Test Planning • Test Execution • Reporting
Testing Categories • Information Gathering • Fuzzing • Injection • Confidentiality & Integrity • Logging • Logic Flaws • Authentication & Authorisation • Availability
RUXCON ‘06 Web Services Teaching a New Dog Old Tricks Colin Wong [colin.wong@sift.com.au]Daniel Grzelak [daniel.grzelak@sift.com.au]