Professional Documents
Culture Documents
Justin Derry,
OWASP Brisbane Chapter Leader
Practice Leader, b-sec Consulting
jderry@b-sec.com
OWAS +61 411 411 881
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Presentation Agenda
Web Services & Technology
What is a Web Service
Where are they commonly used & why
Are you Exposing yourself (Willingly/Unwillingly?)
What’s happening right now.
An Attackers Toolkit
Known common attacks against XML
XML Interceptor Toolkit
Case Studies (XML Web Service & WS-Security Web Service)
Vendor Applications
In-house applications that share
data with partners
Developers writing a tool to solve a
problem without business awareness
New Technologies (AJAX, Web 2.0, Google)
Maybe not called a Web Service but has
similar characteristics to an XML Web
Service
Parsing Exploits
SAX/DOM Known Common Exploits on Vendor
Frameworks
Custom parsers that are poorly written
XML Injection (Passed into XML Stream)
XPath Injection Attacks
XML Manipulation (i.e. CDATA Manipulation etc.)
WSDL Discovery and Manipulation with schemas
DoS attacks against Web Services
Typical HTTP/S Style Header Injection attacks
Common Application Attacks (SQL Injection etc.)
Download available at
www.intratools.net/owasp
Web Server
TML)
Traffic (H
eb
/S W
HTTP
XML
SOAP
Mess
a
Serv ges via W
ices eb
Firewall Corporate
Firewall
Support/Admin User
(Windows Forms Interface)
OWASP AppSec Seattle 2006 13
Exploiting a Web Service through XML
Web Server
)
HTML
Traffic (
b
/ S We
HTTP
R
Web Server
XML
(WS-Security)
Firewall
XML Gateway
Appliance
OWASP AppSec Seattle 2006
Remote Application 16
(Transactional Requests)
Case Study 2 (Where did it all go
wrong!)
Assumed WS-Security Protects 100%
Messages not sent over SSL
(Sniffing/Replay)
XML Gateway Appliance misconfigured
Sensitive data was passed in clear text
API Toolkit was basic and had no security
Assumed XML Gateway was doing it’s job
Assumed end user’s knew what they were
doing
Soap Envelope
Contains the schema
details and
instructions for the
message
WS-Security Details
Contains any WSSE Tokens,
Digital Signatures etc. Also
includes the WSU Created
Token (Timestamps)
WS-SECURE WS-RELIABLE
CONVERSTATION MESSAGING
WS-TRUST
DESCRIPTION DELIVERY
OWASP AppSec Seattle 2006 22
Description Services Delivery Services – Standards for XML
Common Mistakes
Justin Derry
Application Security Practice Leader
B-sec Consulting Pty Ltd (Australia)
+61 411 411 881
Email: jderry@b-sec.com