WS

Posted on Actualizado enn

  • Components and terminology
  • WS Threats
  • WS Hacking
  • WS Hardening

WS Stack

Captura

WS Provider or server site

Captura

WS Consumer client side

Captura

Common WS Usage

Captura

WS Threads

Captura

TRANSPORT THREADS

Sniffing and Snooping

  • Message confidentiality concerns

WS-Routing 

  • SOAP messages can contain verbose instructions on their desired routing. If a single node in this routing path is compromised multiple threats can be realized.

Replay Attacks 

  • Message integrity concerns and potential Denial of Service by taking a correct message with valid credential and sending it 1000+ times

Denial of Service

  • Same old threat in regard to network Denial of Service
Oler y Chismeando
    Preocupaciones de confidencialidad del mensaje
WS - Enrutamiento
    Mensajes SOAP pueden contener instrucciones detallados en su ruta deseada. Si un solo nodo en esta ruta de enrutamiento se ve comprometida múltiples amenazas se pueden realizar.
Ataques de Replicación
    Preocupaciones de integridad del mensaje y el potencial de denegación de servicio mediante la adopción de un mensaje correcto con credencial válida y enviándolo 1000+ veces
Negación de servicio
    Vieja amenaza en lo que se refiere a la red de denegación de servicio

Parsing Threads

Almost all products employ the same parsers, therefore if a vulnerability exists in a single product leveraging MS Parser then all others have the same threat. The XML specification itself does not put any restrictions on the structure itself and rather is open to interpretation by the creator of the parser. Example: Some parsers will stop reading an XML Attribute value once they reach some number of characters and others will continue.

<Name Organizatio”I’m a parser attack,……………..>

The following will be discussed: • Buffer, Heap, Integer Overflows • XML Parser Attacks

Through passing a malicious buffer to a Web Server or Application server the attacker can create an overflow condition where a segmentation fault occurs. Š This oversized/malicious buffer can be sent as part of the transport header OR as part of the SOAP message. Š An expected integer value can be overflowed by exceeding the value allowed causing a segmentation fault. Once an attacker knows that a overflow is possible they can then use this to potentially execute malicious code on the system. Commonly called a buffer overflow attack.

XML Parser Attack Threats

The following threats can result in a denial of service commonly referred to as XML Denial of Service (XDOS) by consuming 100% of processing power on the system doing the parsing.

Complex or Recursive Payload

• Again, the XML specification and structure has no limits!

• Automated applications are available which create Fuzzed data for XDOS attacks.

Oversized Payload

• Many parsing technologies load entire documents into memory

• Web Services were generally NOT designed around large message sizes.

Other

• Unique attacks will be found where underlying parsers have vulnerabilities

DEPLOYMENT THREADS

UDDI

• UDDI contains asset information

• Automated War-Dialers (scanners) can search for UDDI’s for services (i.e. Bank service found here)

WSDL

• Contains adequate information to attack service (i.e Here is how the bank service works)

• Automated programs consume WSDL and commence scanning the service (i.e. Automatically issue scanning/attack messages)

SOAP Faults

• SOAP Faults return information about the service (i.e Bank service is running on IIS version ?? and uses .Net parser)

• SOAP Faults returns errors from the backend resources such as the SQL DB, or Mainframe (i.e Bank service is using Oracle DB version)

SERVICE CODE THREATS

Parameter Tampering

• Parameters are changed Š

<FILE_LOCATION> C:/INET/file.txt changed to Š C:/* Code Injection</FILE_LOCATION> change to

<FILE_LOCATION>C:/*</FILE_LOCATION>

• Code is injected within an XML element Š

<SQL>SELECT name FROM DB1 WHERE name = ‘Adam’ </SQL>changed to Š

<SQL>SELECT * From DB1 WHERE name = *</SQL>

Virus/Spyware/Malware Injections

• XML Attachments (MTOM, DIME, MIME) are used as a delivery mechanism for virus

Session Tampering and Identity Hijacking

• Some Web Services keep track of session with a Unique ID. Attackers can use that ID to become part of the transaction taking place.

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s