Testing for Security Risks in a Web 2.0/SOA WorldBilly Hoffman, Lead Security Researcher, HP

Overview

What is Web 2.0?

• Definitions

Web 2.0 Technologies• RSS• Web Services and SOA• AJAX

How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices

Conclusion

What is Web 2.0?

Tim O’Reilly

• Web 2.0 is the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform.

Wikipedia

• Web 2.0...refers to a perceived second-generation of Web based communities and hosted services — such as social networking sites, wikis and folksonomies — that facilitate collaboration and sharing between users.

Web 2.0 Timeline

My Definition

Web 1.0•Incomplete pages were shameful•“Please come back later when we’re ready”

Web 2.0•Incomplete pages are a feature!•“Stick around and help us improve the site”

Same VulnerabilitiesAdditional Input VectorsMore Complexity

Overview

What is Web 2.0?

• Definitions

Web 2.0 Technologies• RSS• AJAX• Web Services

How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices

Conclusion

Web Feeds (RSS & Atom)

Web Feed Reader

Web Feed Technologies

RSS 2.0

• Really Simple Syndication

RSS 0.91 and 1.0

• Rich Site Summary

RSS 0.9

• RDF Site Summary

Atom

• Atom Syndication Format (RFC 4287)

“I love standards…there are so many to choose from…”

Web Feed Timeline

Sample RSS Feed – New York Times<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>NYT > Home Page</title><link>http://www.nytimes.com/index.html?partner=rssnyt</link><description>New York Times > Breaking News, World News &amp; Multimedia</description><language>en-us</language><copyright>Copyright 2007 The New York Times Company</copyright><lastBuildDate>Tue, 1 May 2007 01:05:01 EDT</lastBuildDate>…<item><title>Torre and Cashman Are Safe, for Now</title><link>http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html?

ex=1335672000&amp;en=d3e1e3550cf1a49c&amp;ei=5088&amp;partner=rssnyt&amp;emc=rss</link><description>The Yankees' owner said he supports the team's manager and general manager but

that he is also impatient.</description><author>TYLER KEPNER</author><guid isPermaLink="false">http://www.nytimes.com/2007/05/01/sports/baseball/

01yankees.html</guid><pubDate>Tue, 01 May 2007 00:35:27 EDT</pubDate></item>

Attack Scenarios

• Owner of web feed intentionally injects malicious content into web feed

• Subscribers would be affected when the content was downloaded/viewed

• Not a likely attack scenario as the perpetrator could easily be identified

Malicious Operator

• Attacker compromises trusted host and is able to inject content into heavily subscribed web feed

• Trusted host has already taken care of generating traffic for the attacker

Compromised Host

• Web site allows (un)trusted users to supply content• Content is published and made available via a web feed• An attacker could leverage this setup to inject malicious

content into a web feed• Mailing lists, forums, message boards and other open

venues are often delivered as web feeds

Open Content

Open Content Attack

Input Validation

Input Validation

• Virtually all vulnerabilities result from improper input validation• Attackers supply input for which error handling routines do not exist• This can leave a system in an exploitable condition

Remember…

• …trust, but verify

Channel 14 News

Real time ticker

• Initial submission underwent human validation• Subsequent submissions permitted in real time

Solutions

Server Side

• White listing• Build regular expressions to define appropriate input

• Black listing• Restrict HTML to appropriate tags only• Take extreme care to take all possible encoding schemes into account

• HTML encode user supplied content

Client Side

• Receive content only from trusted sources• Ensure that the RSS/Atom reader being used is not

susceptible to feed injection

Web Services and SOA

Web Services Architecture

DiscoveryAgencies

- UDDI- DISCO- Etc.

ServiceProvider- SOAP- WSDL

`

ServiceRequestor

Interact Find

Publish

Inputs - WSDL

http://api.google.com/GoogleSearch.wsdl

<message name="doGoogleSearch"><part name="key" type="xsd:string"/><part name="q" type="xsd:string"/><part name="start" type="xsd:int"/><part name="maxResults" type="xsd:int"/><part name="filter" type="xsd:boolean"/><part name="restrict" type="xsd:string"/><part name="safeSearch" type="xsd:boolean"/><part name="lr" type="xsd:string"/><part name="ie" type="xsd:string"/><part name="oe" type="xsd:string"/>

</message>...<service name="GoogleSearchService">

<port name="GoogleSearchPort" binding="typens:GoogleSearchBinding"><soap:address location="http://api.google.com/search/beta2"/></port>

</service>

Web Services Challenges

What don’t web services change?

• Web services do not create new vulnerabilities

What do web services change?

• Web applications may advertise input vectors• WSDL files

• Web applications may advertise their existence• UDDI• DISCO

How do web services affect security?

• New input vectors• Testing tools must understand web services protocols

• SOAP

Web Services Attacks

Cross Site Request Forgery

• Abuse the trust established between a browser and server to force unwanted user actions

Cross Site Scripting

• Inject client side script into a web page

SQL Injection

• Ability to influence back end SQL Queries

Session Hijacking

• Ability to predict/intercept session credentials

Etc.

• This list could go on forever

Verdict

• Web Services can be exposed to the same vulnerabilities as web applications!

Myths of Web Service Security

Web services involve machine to machine communication and would/could therefore never be targeted by an attacker• SOAP requests can easily be forged manually or using point and click freeware tools (e.g. Foundstone

WSDigger)• In some ways, web services are a goldmine for an attacker as they advertise their existence and reveal

expected inputs

I can simply strip out this cool functionality and expose it using a web service without compromising security

• Web application security may be left behind when specific pieces of business logic are exposed via a web service

Solution

Web services can and should be just as secure as any other web application but they won’t get there on their own

Web services should go through the same secure coding practices as other applications

Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target.

Solutions

Testing

• Web services should go through the same secure coding practices as other applications

• Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target.

Overall

• Web services can and should be just as secure as any other web application but they won’t get there on their own

Asynchronous JavaScript and XML (AJAX)

AJAX

Google Maps

FireBug

AJAX Defined

Asynchronous

• Requests are initiated in the background

JavaScript

• JavaScript instantiates the XmlHttpRequest object and generates the requests

And XML

• This is a misnomer as AJAX frameworks commonly employ alternate data interchange formats• JSON - Atlas• Serialized Java - Google Web Toolkit• HTML

• XML

AJAX Implementations

Multiple frameworks

• Prototype (http://www.prototypejs.org/)• Script.aculo.us• Dojo (http://dojotoolkit.org/)• ASP.Net AJAX (http://ajax.asp.net/)• Etc.

Multiple browser objects

• Internet Explorer• IE6 - XMLHTTP ActiveX control• IE7 – XMLHTTP native script object

• Firefox• XMLHttpRequest object

AJAX Challenges

What doesn’t AJAX change?

• AJAX does not create new vulnerabilities

What does AJAX change?

• Business logic is dispersed among multiple client side files/functions• Requests are made in the background without user intervention but are just as susceptible to attack

How does AJAX affect security?

• Increased surface area• More business logic is exposed• New input vectors are exposed

• Security tools must understand the XHR objects and their syntax in order to identify input vectors

Overview

What is Web 2.0?

• Definitions

Web 2.0 Technologies• RSS• AJAX• Web Services

How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices

Conclusion

Input Vectors

Web 1.0 Web 2.0

Attack Vectors

Input vectors

• Input vectors = attack vectors• When identifying input vectors – think broadly

Vulnerabilities

• Vast majority of vulnerabilities result when unexpected user supplied input in not properly sanitized• ANYTHING sent from the client to the server is a potential attack vector

Input Validation

• Validate everything!

Overview

What is Web 2.0?

• Definitions

Web 2.0 Technologies• RSS• AJAX• Web Services

How Web 2.0 Changes the Threat Landscape• Attack Vectors• Secure Coding Practices

Conclusion

Thoughts

Will Web 2.0 usher in the apocalypse?

• No, the sky isn’t falling either• Web 2.0 technologies offer to expand the web with intuitive, content

rich applications, but as with any new technology, they bring new security challenges

What is the greatest security challenge posed by Web 2.0?

• It isn’t new classes of web application vulnerabilities. For the most part, the type of vulnerabilities have remained unchanged while attackers now have new ways to exploit them.

• The greatest security challenge is the same as it is with any new technology. Adopt Web 2.0 technologies to solve a business need, not because it looks cool. When we rush to adopt a new technology for the wrong reasons, we typically leave security behind.

Solutions – HP ASC

Security Throughout the SDLC

Enterprise Application Security Assurance

Assessment Management Platform (AMP)

Source Code

Validation

QA/Integration

Testing

Production Assessment

DevInspect

QAInspect WebInspect

Plan Requirements Design Build ProductionTest

Enterprise Security Assurance & Reporting

Questions

?Billy Hoffman, Lead Security Researcher, HPbhoffman@hp.com