Broken WS

Posted on

1) Learn as much as you can about the system

The technique is known as crawling

wget –l 50 –r http://bankwebserver.com

• Where “–l 50” is the maximum number of links to display

• And “–r” recursively crawls the site You have received 27 files form the server find . –name *wsdl* ./ws/bankservice.asmx?wsdl

You now know the following: 1.) Service Location – http://www.bankwebserver.com 2.) Application Server Platform – IIS with .Net Version 5.0 3.) Web Service Purpose (Withdrawl, Deposit, Balance) 4.) The expected values of the request Š PAN, Cardholder_Name, Service_Code, Expiration_Date, Full_Magnetic_Stripe, CVC2, PIN_Number, and Amount. 5.) You know that the service is running 6.) The service returns errors that illustrate its not using SSL, and that it is running IIS .NET version 5.0.23.

2) Do your homework

Research: • Analyze Security capabilities in Place, Look for deficiencies • Vulnerabilities in IIS .NET 5.0.23 application servers • Vulnerabilities in .Net Parser’s with correct version • Analyze DOS/XDOS opportunities • We now would have enough information to push forward with the actual attack.

3) Launch the attack

Captura

4) Clean up after yourself

Secure Deployment UDDI and WSDL are like “Maps to the Treasure” and should be Treated as such. You wouldn’t leave the actual map to your treasure out in plain sight would you? UDDI, WSDL • Virtualize Internal Services to consumers through creation of virtual endpoints described by generalized WSDL and UDDI descriptions. SOAP Faults and Error Messages • Don’t allow SOAP faults and errors to be relayed to potentially malicious consumers. Generalize SOAP faults to contain no information about deployed application types and versions.

Input Validation (parameter tampering) Input Validation (parameter tampering) The service code layer is where development is done in creating business capabilities and is the easiest to hack. This is probably the most critical to protect. Basic Parameter Validation • Don’t use strings as the allowed Data type. That’s like allowing anything to pass. • Validate Integer values for length Specifically Parameter Validation • If its supposed to be a SSN then validate it is one! • If it’s a zip code validate that its [[0-9][0-9] [0-9] [0-9] [0-9]] XML Schema provides a tool to validate message parameters according to predetermined business usage.

Input Validation (code injection)  Some Code Injection protection is inherent in having a constrained schema validation on input parameters although there are some places where Schema does not suffice. Wherever strings or more general character sets are allowed validation should be done to verify malicious code is not present. Some Malicous SQL Command Be Careful about Unicode representations of characters to avoid detection. Parsers will do funny things with these….

<blog_update>%lt;JAVASCRIPT%rt; Malicious Script </blog_update>

Be Careful with CDATA and XML Comments as XML parsers are
designed to overlook these.
<![CDATA[ function matchwo(a,b) { if (a < b && a < 0) then { return 1
} else { return 0 } } ]]>

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s