Transcript OWASP Plan

Techniques in Attacking and
Defending XML/Web Services
AppSec DC
Jason Macy & Mamoon Yunus
Crosscheck Networks – Forum Systems
[email protected] [email protected]
617-938-3956
November 13, 2009
The OWASP Foundation
http://www.owasp.org
Agenda
1. Introduction to XML/Web Services Threats
2. Techniques for Defending XML Threats
3. XML Attack Examples and Classification
• SQL Injection
• Denial of Service
• XSD Mutation
4. Review Attack Examples by:
• Attack Definition: Scenario Setup
• Attack Vectors: Building Penetration Tests
• Post-Attack Analysis: XML Vulnerability Detection
• Countermeasures: XML Gateway
OWASP
2
Introduction to XML Threats
SQL Injection
Vectors
Vectors
Vectors
XSD Mutation
Virus
SOAP, XML, REST
Malware
Denial of Service
Identity Discovery
Explicit Attacks
Forced Disruption
Information Theft
Vendor Discovery
Bring Down or Limit Enterprise Service Availability
Gain Access to Enterprise Resources
Expose Known Traditional Attacks
1..N source IP
Implicit Vulnerability
Perimeter Breach
Infrastructure Malfunction
Embedded Virus, Malware
Parser and Data Processing Failures
OWASP
New Attack Vectors
Client
SOAP/XML
SOAP/XML
Web Service





Protocol Firewalls are Blind to XML
Malware and Virus delivered via SOAP Attachments
WSDL Exposes Schema and Message Structure
Injection Attacks Exposed VIA XML Parameters
Data Replay Attacks
OWASP
Security Testing - Base Requirements
Security Framework
Sign, Encrypt, Decrypt, SSL
Identity Framework
Basic Auth, SSL Auth, WS-Security Token Auth
Parameter Injection
Database or File Driven
Permutations for Security, Identity, and SOAP/XML
Concurrent Client Simultaneous Loading
Denial of Service Testing
SOAP with Attachments
Malware and Virus testing
Dynamic XSD Mutation
Derive SOAP Vulnerability profile from WSDL Schema
OWASP
5
XML Security Gateway - Base Requirements
Certified PKI Infrastructure (DOD PKI)
•
•
X509 Path Validation
Sign/Verify, SSL Initiation, SSL Termination
Certified Security Architecture (FIPS)
•
•
Key Management and Storage
Physical Device Security
Transaction Privacy
•
Encryption, Decryption, SSL
Transaction Integrity
•
Digital Signature, Signature Verification, Schema Validation
Transaction Accountability
•
Archiving, Logging, Reporting, and Monitoring
Transaction Threat Mitigation
•
•
•
Intrusion Detection and Prevention
Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition
Structural integrity, Protocol adherence, Authorization Attempts
OWASP
6
XML Attack Examples and Classification
1. SQL Injection Attack
• Classification: Injection, Data Excavation
2. Denial of Service Attack
• Classification: Resource Depletion
3. XSD Mutation Attack
• Classification: Data Structure Attacks, Resource Manipulation
CAPEC: Common Attack Pattern Enumeration and Classification
National Cyber Crime Division of DHS
http://capec.mitre.org
http://nvd.nist.gov/
OWASP
7
XML Web Services
based
SQL Injection Attack
OWASP
8
SQL Injection
Unsecured
o PHP
o NuSOAP
Apache
MySQL
How to Attack
Construct SQL Escape Sequences
Construct SQL 1=1 Query
Inject into XML Node values
Discovered Exposure
Sensitive Data Loss
Database Corruption
OWASP
9
SQL Injection
1. What is it?
• SQL injection is a technique that exploits a vulnerability that occurs in the
database layer of an application.
•
Application incorrectly filters for a string literal escape characters
embedded in SQL statements.
2. Example:
• Good: ‘select * from accounts where username="' . $username . '"' . 'AND
password="' . $password . ’";
•
Evil: select * from accounts where username="" or 1=1 #"AND
password="””;
3. Attack Vector:
• Old: User input from a browser-based application
•
New: XML Web Services – WSDL defined Interface
OWASP
10
Component Details – MySQL Database
oTest MySQL Database
o phpMyAdmin UI
o Accounts Table Data
OWASP
11
Component Details – PHP Application
6. Register function as a
Web Service
1. Function:
getAccounts()
2. Connect to Database
3. Construct SQL Query:
Great Vulnerability Point
4. Execute Query
5. Parse Query Results
OWASP
12
SQL Injection over SOAP Message – Unsecured
• Pointed to Service Endpoint
• Advertises use of PHP
• SQL Injection over XML/SOAP
• Full Table Returned in
SOAP Response: 34 Records
OWASP
13
SQL Injection
XML Gateway Secured
o PHP
o NuSOAP
XML Gateway
Client
o Inbound Pattern Detection
o Prevent Outbound Leaks
Apache
MySQL
How to Defend
Deploy XML Gateway
Enable Pattern Scanning IDP Rules
Configure Response Message Size and Complexity Limits
Advantages
Prevent Data Loss
Alert and Quarantine Attempted Breaches
OWASP
14
SQL Injection over XML/SOAP – Sentry Protection Policy
o Pre-built Pattern Matching for SQL
Injection Detection
o Extensible for Business Specific
Requirements
OWASP
15
SQL Injection over SOAP Message – Secured
• Pointed through XML Gateway
• Endpoint Technology Obfuscated
• SQL Injection over XML/SOAP
• SOAP Request Stopped by
XML Gateway
OWASP
16
XML Web Services
based
Denial of Service Attack
OWASP
17
Denial of Service
Unsecured
Client
Web Service
How to Attack
Loading Client with Concurrent Simultaneous Threads
Coercive Parsing Attack
Discovered Exposure
Unlimited message flow
Unfair Service SLA distribution
Back-end CPU and I/O Saturation
OWASP
18
Denial of Service – Unsecured
• Multiply Service running on IIS
• Capable of ~700 TPS
• No restrictions on Client
OWASP
19
Denial of Service
XML Gateway Secured
XML Gateway
Client
Web Service
o Enforce Transaction Rate
How to Defend
Deploy XML Gateway
Set Allowed Transaction Rates (Group, User, or IP)
Advantages
Message Flow Limited to Specified Rate
Service Throughput Fairly Distributed
Back-end mitigated from CPU and I/O Saturation
OWASP
20
Denial of Service – Sentry Protection Rule
• 20 TPS Restriction Policy
• Granular Enforceability
• Configure Action
• Custom Message
OWASP
21
Denial of Service – Sentry Protection Action
• Action: Abort Processing
• Additional Options: Throttle, Block
• Stealth Mode to suppress data
leaks via responses
• Prevent log flooding
•Quarantine Messages for further
analysis
OWASP
22
Denial of Service – Secured
• Request: Multiply a x b sent
through XML Gateway
• 20 TPS Restriction triggered
• Client cannot invoke a DoS
• ~ 680 TPS service capacity remains
OWASP
23
Another Example: Denial of Service through Coercive Parsing





Echo Request: s= test
All responses are successful  well-formed XML
Min 1.20 ms
Max 3.50 ms
Ave 1.60 ms
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/">
<soap:Body>
<s0:Echo>
<s0:s>test</s0:s>
</s0:Echo>
</soap:Body>
</soap:Envelope>





Echo Request: s= test
All responses fail  XML not well-formed
Min 2.10 ms
Max 5.0 ms
Ave 2.73 ms
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/">
<soap:Body>
<s0:Echo>
<s0:s>test</s0:s>
</s0:Echo>
</soap:Body>
</soap:Envelope
Missing “>”
> 70% Degradation by removing one character
OWASP
24
XML Web Services
Based
XSD Mutation Attack
OWASP
25
XSD Mutation Attack
Unsecured
Client
Web Service
How to Attack
Obtain WSDL
Derive Message Structure and Types from WSDL Schema
Send SOAP Message Mutations based on Schema
Discovered Exposure
Code Paths not Handled for Exceptions
Stack Traces Returned with Implementation Details
Application Failure
OWASP
26
XSD Mutation Attack – Lifecycle
Run
Attack
Author
Attack
Vectors
Analyze
Results
Vulnerability
Report
Add New
Detection
Libraries
OWASP
27
XSD Mutation: Building Attack Vectors
• Service Loaded from endpoint
• Mutant Messages generated
based on WSDL – XSD
• Data type, structure, size
mutations
OWASP
28
XSD Mutation: Analyze Attack
• Test generated based on WSDL complexity
• Sample Data Value Mutation
• username contains string value mutation
• response reveals backend components and method calls
OWASP
29
XSD Mutation: Extend Detection Libraries
• Look for nusoap.php
• High Severity – Open source Parser
• Vulnerability Detection Libraries
• Application/Platform Specific
• Business Specific – SSN, Credit Card
OWASP
30
XSD Mutation Attack
XML Gateway Secured
XML Gateway
Client
o Enforce Inbound Schema Validation
o Prevent Outbound Data Leaks
Web Service
How to Defend
Deploy XML Gateway
Enforce Inbound Message Structure and Type Validation
Cleanse Outbound Data (Stack Traces, Sensitive Data)
Advantages
Reduce Parser Impact on Web Service
Remove Vendor and Implementation Details in Response
Protect Application Layer Code Paths on Web Service
OWASP
31
XSD Mutation – Sentry Protection Policy
• XML Gateway provides Policies to protect against
XML specific attacks
OWASP
32
XSD Mutation – Secured
1. Deploy Specialized XML Gateways – Packet Firewalls and HTML
Application Firewalls are insufficient
2. Validate XML against a robust schema
3. Tighten Schema: e.g., string  string 2048
4. Enforce XML specific detection rules  e.g., node depth, recursive
payloads
OWASP
33
Best Practices for Countermeasures
Information Control – Outbound
Information Control – Inbound




Restrict SOAP Faults
Protect Sensitive Information
Audit Transaction Flows


Tighten Payloads
Enforce SLA
Disallow SQL, Virus, Malicious Code
Use Web Services Penetration Testing Product

Out of the box Vulnerability Discovery

Simplified Testing and Diagnostics of Service Endpoint

Validation of Security Gateway Policies
Deploy XML Web Services Gateway

Forum Systems Sentry XML Gateway

Barracuda

Radware AppXML
Deploy Centralized XML Security

Enforce Policy Independent of Application Servers and OS Platforms

Audit and Filter Sensitive Information

Separate Security from Application Code
OWASP
34
Learn more @
www.crosschecknet.com
and
www.forumsys.com
OWASP
35