Forum Systems: Techniques Attack Defend XML-SOA

8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA

1/35

The OWASP Foundation

AppSec DC

http://www.owasp.org

Techniques in Attacking andDefending XML/Web Services

Jason Macy & Mamoon Yunus

Crosscheck Networks Forum Systems

[email protected] [email protected]

617-938-3956

November 13, 2009


2/35

OWASP2

Agenda

1. Introduction to XML/Web Services Threats

2. Techniques for Defending XML Threats

3. XML Attack Examples and Classification SQL Injection

Denial of Service XSD Mutation

1. Review Attack Examples by: Attack Definition & Scenario Setup

Attack Vectors: Building Penetration Tests Post-Attack Analysis: XML Vulnerability Detection Countermeasures: XML Gateway


3/35

OWASP

Vectors

Vectors

SOAP, XML, REST

Introduction to XML Threats

1..N source IP

SQL Injection

XSD Mutation

Virus

Malware

Identity Discovery

Denial of Service

Vectors

Explicit AttacksForced Disruption Bring Down or Limit Enterprise Service AvailabilityInformation Theft Gain Access to Enterprise ResourcesVendor Discovery Expose Known Traditional Attacks

Implicit VulnerabilityPerimeter Breach Embedded Virus, MalwareInfrastructure Malfunction Parser and Data Processing Failures


4/35

OWASP

New Attack Vectors

Protocol Firewalls are Blind to XML Malware and Virus delivered via SOAP Attachments

WSDL Exposes Schema and Message Structure

Injection Attacks Exposed VIA XML Parameters

Replay Attacks

SOAP/XML SOAP/XML

Web Service

Client


5/35

OWASP5

Security Testing - Base Requirements

Security FrameworkSign, Encrypt, Decrypt, SSL

Identity FrameworkBasic Auth, SSL Auth, WS-Security Token Auth

ParameterInjectionDatabase or File DrivenPermutations for Security, Identity, and SOAP/XML

Concurrent Client Simultaneous LoadingDenial of Service Testing

SOAP with AttachmentsMalware and Virus testing

Dynamic XSD MutationDerive SOAP Vulnerability profile from WSDL Schema


6/35

OWASP6

XML Security Gateway - Base Requirements

Transaction Privacy Encryption, Decryption, SSL

Transaction Integrity Digital Signature, Signature Verification, Schema Validation

Transaction Accountability Archiving, Logging, Reporting, and Monitoring

Transaction Threat Mitigation Intrusion Detection and Prevention

Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition

Structural integrity, Protocol adherence, Authorization Attempts

Certified PKIInfrastructure (DO

D PKI) X509 Path Validation Sign/Verify, SSL Initiation, SSL Termination

CertifiedSecurity Architecture (FIPS) Key Management and Storage

Physical Device Security


7/35

OWASP7

XML Attack Examples and Classification

1. SQL Injection Attack Classification: Injection, Data Excavation

2. Denial of Service Attack Classification: Resource Depletion

1. XSD Mutation Attack Classification: Data Structure Attacks, Resource Manipulation

CAPEC: Common Attack Pattern Enumeration and ClassificationNational Cyber Crime Division of DHS

http://capec.mitre.orghttp://nvd.nist.gov/


8/35

OWASP8

XML Web Services

basedSQL Injection Attack


9/35

OWASP9

SQL InjectionUnsecured

How to Attack

Construct SQL Escape Sequences

Construct SQL 1=1 Query

Inject into XML Node values

Discovered Exposure

Sensitive Data Loss

Database Corruption

MySQL

o PHPo NuSOAP

Apache


10/35

OWASP10

SQL Injection1. What is it?

SQL injection is a technique that exploits a vulnerability that occurs in thedatabase layer of an application.

Application incorrectly filters for a string literal escape charactersembedded in SQL statements.

2. Example: Good: select * from accounts where username="' . $username . '"' . 'ANDpassword="' . $password . ";

Evil: select * from accounts where username="" or 1=1 #"ANDpassword=";

3. Attack Vector: Old: User input from a browser-based application

New: XML Web Services WSDL defined Interface


11/35

OWASP11

Component Details MySQL Database

o

Test MySQL Databaseo phpMyAdmin UIoAccounts Table Data


12/35

OWASP12

Component Details PHP Application

1. Function:getAccounts()

2. Connect to Database

3. Construct SQL Query:Great Vulnerability Point

4. Execute Query

5. Parse Query Results

6. Register function as aWeb Service


13/35

OWASP

SQL Injection over SOAP Message Unsecured

13

SQL Injection over XML/SOAP

Attack Surface Area increased

Full Table Returned inSOAP Response: 34 Records

Pointed to Service EndpointAdvertises use of PHP


14/35

OWASP14

SQL InjectionXML Gateway Secured

o Inbound Pattern Detectiono Prevent Outbound Leaks

XML GatewayClient

How to Defend

Deploy XML Gateway

Enable Pattern Scanning IDP Rules

Configure Response Message Size and Complexity Limits

Advantages

Prevent Data Loss

Alert and Quarantine Attempted Breaches

MySQL

o

PHPo NuSOAP

Apache


15/35

OWASP

SQL Injection over XML/SOAP Sentry Protection Policy

15

o Pre-built Pattern Matching for SQLInjection Detectiono Extensible for Business SpecificRequirements


16/35

OWASP

SQL Injection over SOAP Message Secured

16

SQL Injection over XML/SOAP

SOAP Request Stopped byXML Gateway

Pointed through XML Gateway Endpoint Technology Obfuscated


17/35

OWASP17

XML Web Services

basedDenial of Service Attack


18/35

OWASP18

Denial of ServiceUnsecured

Web Service

Client

How to Attack

Loading Client with Concurrent Simultaneous Threads

Coercive Parsing Attack

Discovered Exposure

Unlimited message flow

Unfair Service SLA distribution

Back-end CPU and I/O Saturation


19/35

OWASP

Denial of Service Unsecured

19

Capable of ~700 TPS No restrictions on Client

Multiply Service running on IIS


20/35

OWASP20

Denial of ServiceXML Gateway Secured

o Enforce Transaction Rate

XML Gateway

Web Service

Client

How to Defend

Deploy SOA Gateway

Set Allowed Transaction Rates (Group, User, or IP)

Advantages

Message Flow Limited to Specified Rate

Service Throughput Fairly Distributed

Back-end mitigated from CPU and I/O Saturation


21/35

OWASP

Denial of Service Sentry Protection Rule

21

20 TPS Restriction Policy

Granular Enforceability

Configure Action Custom Message


22/35

OWASP

Denial of Service Sentry ProtectionAction

22

Action: Abort Processing

Additional Options: Throttle, Block Stealth Mode to suppress dataleaks via responses

Prevent log flooding

Quarantine Messages for furtheranalysis


23/35

OWASP

Denial of Service Secured

23

Request: Multiply a x b sentthrough XML Gateway

20 TPS Restriction triggered Client cannot invoke a DoS ~ 680 TPS service capacity remains


24/35

OWASP 24

Echo Request: s= test All responses are successful well-formed XML

Min 1.20 ms Max 3.50 ms Ave 1.60 ms

Echo Request: s= test All responses fail XML not well-formed

Min 2.10 ms Max 5.0 ms Ave 2.73 ms

test

test

> 70% Degradation by removing one character

Another Example: Denial of Service through Coercive Parsing


25/35

OWASP25

XML Web Services

BasedXSD Mutation Attack


26/35

OWASP26

XSD Mutation AttackUnsecured

Client

How to Attack

Obtain WSDL

Derive Message Structure and Types from WSDL Schema

Send SOAP Message Mutations based on Schema

Discovered Exposure

Code Paths not Handled for Exceptions

Stack Traces Returned with Implementation Details

Application Failure

Web Service


27/35

OWASP

XSD Mutation Attack Lifecycle

27

Author

AttackVectors

Author

AttackVectors

RunAttack

RunAttack

Analyze

Results

Analyze

Results

Add New

DetectionLibraries

Add New

DetectionLibraries

Vulnerability

Report

Vulnerability

Report


28/35

OWASP

XSD Mutation: Building Attack Vectors

28

Service Loaded from endpoint

Mutant Messages generatedbased on WSDL XSD Data type, structure, size

mutations


29/35

OWASP

XSD Mutation:Analyze Attack

29

Test generated based on WSDL complexity

Sample Data Value Mutation

username contains value mutation

response reveals backend components and method calls


30/35

OWASP

XSD Mutation: Extend Detection Libraries

30

Vulnerability Detection LibrariesApplication/Platform Specific Business Specific SSN, Credit Card

Look for nusoap.php High Severity Open source Parser


31/35

OWASP31

XSD Mutation AttackXML Gateway Secured

o Enforce Inbound Schema Validation

o Prevent Outbound Data Leaks

XML GatewayClient

How to Defend

Deploy XML Gateway

Enforce Inbound Message Structure and Type Validation

Cleanse Outbound Data (Stack Traces, Sensitive Data)

Advantages

Reduce Parser Impact on Web Service

Remove Vendor and Implementation Details in Response

Protect Application Layer Code Paths on Web Service

Web Service


32/35

OWASP

XSD Mutation Sentry Protection Policy

32

XML Gateway provides Policies to protect againstXML specific attacks


33/35

OWASP

XSD Mutation Secured

33

1. Deploy Specialized XML Gateways Packet Firewalls and HTMLApplication Firewalls are insufficient

2. Validate XML against a robust schema

3. Tighten Schema: e.g., string string 2048

1. Enforce XML specific detection rules e.g., node depth, recursivepayloads


34/35

OWASP

34

Best Practices for Countermeasures

Information Control Outbound Restrict SOAP Faults Protect Sensitive Information Audit Transaction Flows

Use Web Services Penetration Testing Product Out of the box Vulnerability Discovery Simplified Testing and Diagnostics of Service Endpoint Validation of Security Gateway Policies

Deploy XML Web Services Gateway Forum Systems Sentry XML Gateway Barracuda Radware AppXML

Deploy Centralized XML Security Enforce Policy Independent of Application Servers and OS Platforms Audit and Filter Sensitive Information Separate Security from Application Code

Information Control Inbound Tighten Payloads Enforce SLA Disallow SQL, Virus, Malicious Code


35/35

OWASP35

Learn more @

www.crosschecknet.comand

www.forumsys.com

Documents

Forum Systems: Techniques Attack Defend XML-SOA