Forum Systems: Techniques Attack Defend XML-SOA
-
Upload
forum-systems -
Category
Documents
-
view
216 -
download
0
Transcript of Forum Systems: Techniques Attack Defend XML-SOA
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
1/35
The OWASP Foundation
AppSec DC
http://www.owasp.org
Techniques in Attacking andDefending XML/Web Services
Jason Macy & Mamoon Yunus
Crosscheck Networks Forum Systems
[email protected] [email protected]
617-938-3956
November 13, 2009
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
2/35
OWASP2
Agenda
1. Introduction to XML/Web Services Threats
2. Techniques for Defending XML Threats
3. XML Attack Examples and Classification SQL Injection
Denial of Service XSD Mutation
1. Review Attack Examples by: Attack Definition & Scenario Setup
Attack Vectors: Building Penetration Tests Post-Attack Analysis: XML Vulnerability Detection Countermeasures: XML Gateway
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
3/35
OWASP
Vectors
Vectors
SOAP, XML, REST
Introduction to XML Threats
1..N source IP
SQL Injection
XSD Mutation
Virus
Malware
Identity Discovery
Denial of Service
Vectors
Explicit AttacksForced Disruption Bring Down or Limit Enterprise Service AvailabilityInformation Theft Gain Access to Enterprise ResourcesVendor Discovery Expose Known Traditional Attacks
Implicit VulnerabilityPerimeter Breach Embedded Virus, MalwareInfrastructure Malfunction Parser and Data Processing Failures
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
4/35
OWASP
New Attack Vectors
Protocol Firewalls are Blind to XML Malware and Virus delivered via SOAP Attachments
WSDL Exposes Schema and Message Structure
Injection Attacks Exposed VIA XML Parameters
Replay Attacks
SOAP/XML SOAP/XML
Web Service
Client
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
5/35
OWASP5
Security Testing - Base Requirements
Security FrameworkSign, Encrypt, Decrypt, SSL
Identity FrameworkBasic Auth, SSL Auth, WS-Security Token Auth
ParameterInjectionDatabase or File DrivenPermutations for Security, Identity, and SOAP/XML
Concurrent Client Simultaneous LoadingDenial of Service Testing
SOAP with AttachmentsMalware and Virus testing
Dynamic XSD MutationDerive SOAP Vulnerability profile from WSDL Schema
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
6/35
OWASP6
XML Security Gateway - Base Requirements
Transaction Privacy Encryption, Decryption, SSL
Transaction Integrity Digital Signature, Signature Verification, Schema Validation
Transaction Accountability Archiving, Logging, Reporting, and Monitoring
Transaction Threat Mitigation Intrusion Detection and Prevention
Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition
Structural integrity, Protocol adherence, Authorization Attempts
Certified PKIInfrastructure (DO
D PKI) X509 Path Validation Sign/Verify, SSL Initiation, SSL Termination
CertifiedSecurity Architecture (FIPS) Key Management and Storage
Physical Device Security
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
7/35
OWASP7
XML Attack Examples and Classification
1. SQL Injection Attack Classification: Injection, Data Excavation
2. Denial of Service Attack Classification: Resource Depletion
1. XSD Mutation Attack Classification: Data Structure Attacks, Resource Manipulation
CAPEC: Common Attack Pattern Enumeration and ClassificationNational Cyber Crime Division of DHS
http://capec.mitre.orghttp://nvd.nist.gov/
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
8/35
OWASP8
XML Web Services
basedSQL Injection Attack
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
9/35
OWASP9
SQL InjectionUnsecured
How to Attack
Construct SQL Escape Sequences
Construct SQL 1=1 Query
Inject into XML Node values
Discovered Exposure
Sensitive Data Loss
Database Corruption
MySQL
o PHPo NuSOAP
Apache
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
10/35
OWASP10
SQL Injection1. What is it?
SQL injection is a technique that exploits a vulnerability that occurs in thedatabase layer of an application.
Application incorrectly filters for a string literal escape charactersembedded in SQL statements.
2. Example: Good: select * from accounts where username="' . $username . '"' . 'ANDpassword="' . $password . ";
Evil: select * from accounts where username="" or 1=1 #"ANDpassword=";
3. Attack Vector: Old: User input from a browser-based application
New: XML Web Services WSDL defined Interface
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
11/35
OWASP11
Component Details MySQL Database
o
Test MySQL Databaseo phpMyAdmin UIoAccounts Table Data
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
12/35
OWASP12
Component Details PHP Application
1. Function:getAccounts()
2. Connect to Database
3. Construct SQL Query:Great Vulnerability Point
4. Execute Query
5. Parse Query Results
6. Register function as aWeb Service
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
13/35
OWASP
SQL Injection over SOAP Message Unsecured
13
SQL Injection over XML/SOAP
Attack Surface Area increased
Full Table Returned inSOAP Response: 34 Records
Pointed to Service EndpointAdvertises use of PHP
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
14/35
OWASP14
SQL InjectionXML Gateway Secured
o Inbound Pattern Detectiono Prevent Outbound Leaks
XML GatewayClient
How to Defend
Deploy XML Gateway
Enable Pattern Scanning IDP Rules
Configure Response Message Size and Complexity Limits
Advantages
Prevent Data Loss
Alert and Quarantine Attempted Breaches
MySQL
o
PHPo NuSOAP
Apache
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
15/35
OWASP
SQL Injection over XML/SOAP Sentry Protection Policy
15
o Pre-built Pattern Matching for SQLInjection Detectiono Extensible for Business SpecificRequirements
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
16/35
OWASP
SQL Injection over SOAP Message Secured
16
SQL Injection over XML/SOAP
SOAP Request Stopped byXML Gateway
Pointed through XML Gateway Endpoint Technology Obfuscated
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
17/35
OWASP17
XML Web Services
basedDenial of Service Attack
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
18/35
OWASP18
Denial of ServiceUnsecured
Web Service
Client
How to Attack
Loading Client with Concurrent Simultaneous Threads
Coercive Parsing Attack
Discovered Exposure
Unlimited message flow
Unfair Service SLA distribution
Back-end CPU and I/O Saturation
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
19/35
OWASP
Denial of Service Unsecured
19
Capable of ~700 TPS No restrictions on Client
Multiply Service running on IIS
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
20/35
OWASP20
Denial of ServiceXML Gateway Secured
o Enforce Transaction Rate
XML Gateway
Web Service
Client
How to Defend
Deploy SOA Gateway
Set Allowed Transaction Rates (Group, User, or IP)
Advantages
Message Flow Limited to Specified Rate
Service Throughput Fairly Distributed
Back-end mitigated from CPU and I/O Saturation
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
21/35
OWASP
Denial of Service Sentry Protection Rule
21
20 TPS Restriction Policy
Granular Enforceability
Configure Action Custom Message
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
22/35
OWASP
Denial of Service Sentry ProtectionAction
22
Action: Abort Processing
Additional Options: Throttle, Block Stealth Mode to suppress dataleaks via responses
Prevent log flooding
Quarantine Messages for furtheranalysis
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
23/35
OWASP
Denial of Service Secured
23
Request: Multiply a x b sentthrough XML Gateway
20 TPS Restriction triggered Client cannot invoke a DoS ~ 680 TPS service capacity remains
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
24/35
OWASP 24
Echo Request: s= test All responses are successful well-formed XML
Min 1.20 ms Max 3.50 ms Ave 1.60 ms
Echo Request: s= test All responses fail XML not well-formed
Min 2.10 ms Max 5.0 ms Ave 2.73 ms
test
test
> 70% Degradation by removing one character
Another Example: Denial of Service through Coercive Parsing
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
25/35
OWASP25
XML Web Services
BasedXSD Mutation Attack
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
26/35
OWASP26
XSD Mutation AttackUnsecured
Client
How to Attack
Obtain WSDL
Derive Message Structure and Types from WSDL Schema
Send SOAP Message Mutations based on Schema
Discovered Exposure
Code Paths not Handled for Exceptions
Stack Traces Returned with Implementation Details
Application Failure
Web Service
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
27/35
OWASP
XSD Mutation Attack Lifecycle
27
Author
AttackVectors
Author
AttackVectors
RunAttack
RunAttack
Analyze
Results
Analyze
Results
Add New
DetectionLibraries
Add New
DetectionLibraries
Vulnerability
Report
Vulnerability
Report
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
28/35
OWASP
XSD Mutation: Building Attack Vectors
28
Service Loaded from endpoint
Mutant Messages generatedbased on WSDL XSD Data type, structure, size
mutations
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
29/35
OWASP
XSD Mutation:Analyze Attack
29
Test generated based on WSDL complexity
Sample Data Value Mutation
username contains value mutation
response reveals backend components and method calls
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
30/35
OWASP
XSD Mutation: Extend Detection Libraries
30
Vulnerability Detection LibrariesApplication/Platform Specific Business Specific SSN, Credit Card
Look for nusoap.php High Severity Open source Parser
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
31/35
OWASP31
XSD Mutation AttackXML Gateway Secured
o Enforce Inbound Schema Validation
o Prevent Outbound Data Leaks
XML GatewayClient
How to Defend
Deploy XML Gateway
Enforce Inbound Message Structure and Type Validation
Cleanse Outbound Data (Stack Traces, Sensitive Data)
Advantages
Reduce Parser Impact on Web Service
Remove Vendor and Implementation Details in Response
Protect Application Layer Code Paths on Web Service
Web Service
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
32/35
OWASP
XSD Mutation Sentry Protection Policy
32
XML Gateway provides Policies to protect againstXML specific attacks
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
33/35
OWASP
XSD Mutation Secured
33
1. Deploy Specialized XML Gateways Packet Firewalls and HTMLApplication Firewalls are insufficient
2. Validate XML against a robust schema
3. Tighten Schema: e.g., string string 2048
1. Enforce XML specific detection rules e.g., node depth, recursivepayloads
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
34/35
OWASP
34
Best Practices for Countermeasures
Information Control Outbound Restrict SOAP Faults Protect Sensitive Information Audit Transaction Flows
Use Web Services Penetration Testing Product Out of the box Vulnerability Discovery Simplified Testing and Diagnostics of Service Endpoint Validation of Security Gateway Policies
Deploy XML Web Services Gateway Forum Systems Sentry XML Gateway Barracuda Radware AppXML
Deploy Centralized XML Security Enforce Policy Independent of Application Servers and OS Platforms Audit and Filter Sensitive Information Separate Security from Application Code
Information Control Inbound Tighten Payloads Enforce SLA Disallow SQL, Virus, Malicious Code
-
8/8/2019 Forum Systems: Techniques Attack Defend XML-SOA
35/35
OWASP35
Learn more @
www.crosschecknet.comand
www.forumsys.com