Techniques in Attacking and

Defending XML/Web Services

Jason Macy & Mamoon Yunus

Crosscheck Networks – Forum Systems
jmacy@crosschecknet.com myunus@forumsys.com
AppSec DC 617-938-3956
November 13, 2009

The OWASP Foundation

http://www.owasp.org
Agenda
1. Introduction to XML/Web Services Threats

2. Techniques for Defending XML Threats

3. XML Attack Examples and Classification

• SQL Injection
• Denial of Service
• XSD Mutation

1. Review Attack Examples by:

• Attack Definition & Scenario Setup
• Attack Vectors: Building Penetration Tests
• Post-Attack Analysis: XML Vulnerability Detection
• Countermeasures: XML Gateway

OWASP
2
 Introduction to XML Threats
SQL Injection

Vectors XSD Mutation

Vectors Virus
Vectors

SOAP, XML, REST

Malware

Denial of Service

Identity Discovery

Explicit Attacks
Forced Disruption Bring Down or Limit Enterprise Service Availability
Information Theft Gain Access to Enterprise Resources
Vendor Discovery Expose Known Traditional Attacks

1..N source IP
Implicit Vulnerability
Perimeter Breach Embedded Virus, Malware
Infrastructure Malfunction Parser and Data Processing Failures

OWASP
 New Attack Vectors

Client SOAP/XML SOAP/XML

Web Service

 Protocol Firewalls are Blind to XML

 Malware and Virus delivered via SOAP Attachments
 WSDL Exposes Schema and Message Structure
 Injection Attacks Exposed VIA XML Parameters
 Replay Attacks

OWASP
 Security Testing - Base Requirements

Security Framework
Sign, Encrypt, Decrypt, SSL

Identity Framework
Basic Auth, SSL Auth, WS-Security Token Auth

Parameter Injection
Database or File Driven
Permutations for Security, Identity, and SOAP/XML

Concurrent Client Simultaneous Loading

Denial of Service Testing

SOAP with Attachments

Malware and Virus testing

Dynamic XSD Mutation

Derive SOAP Vulnerability profile from WSDL Schema

OWASP
5
 XML Security Gateway - Base Requirements

Certified PKI Infrastructure (DOD PKI)

• X509 Path Validation
• Sign/Verify, SSL Initiation, SSL Termination

Certified Security Architecture (FIPS)

• Key Management and Storage
• Physical Device Security

Transaction Privacy
• Encryption, Decryption, SSL

Transaction Integrity
• Digital Signature, Signature Verification, Schema Validation

Transaction Accountability
• Archiving, Logging, Reporting, and Monitoring

Transaction Threat Mitigation

• Intrusion Detection and Prevention
• Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition
• Structural integrity, Protocol adherence, Authorization Attempts OWASP
6
 XML Attack Examples and Classification

1. SQL Injection Attack

• Classification: Injection, Data Excavation

2. Denial of Service Attack

• Classification: Resource Depletion

1. XSD Mutation Attack

• Classification: Data Structure Attacks, Resource Manipulation

CAPEC: Common Attack Pattern Enumeration and Classification

National Cyber Crime Division of DHS
http://capec.mitre.org
http://nvd.nist.gov/

OWASP
7
 XML Web Services
based
SQL Injection Attack

OWASP
8
 SQL Injection
Unsecured
o PHP
o NuSOAP

Apache MySQL

How to Attack
Construct SQL Escape Sequences
Construct SQL 1=1 Query
Inject into XML Node values

Discovered Exposure
Sensitive Data Loss
Database Corruption

OWASP
9
SQL Injection
1. What is it?
• SQL injection is a technique that exploits a vulnerability that occurs in the
database layer of an application.

• Application incorrectly filters for a string literal escape characters

embedded in SQL statements.

2. Example:
• Good: ‘select * from accounts where username="' . $username . '"' . 'AND
password="' . $password . ’";

• Evil: select * from accounts where username="" or 1=1 #"AND

password="””;

3. Attack Vector:
• Old: User input from a browser-based application

• New: XML Web Services – WSDL defined Interface

OWASP
10
Component Details – MySQL Database

oTest MySQL Database

o phpMyAdmin UI
o Accounts Table Data

OWASP
11
 Component Details – PHP Application
6. Register function as a
Web Service

1. Function: getAccounts()

2. Connect to Database

3. Construct SQL Query:

Great Vulnerability Point

4. Execute Query

5. Parse Query Results

OWASP
12
SQL Injection over SOAP Message – Unsecured

• Pointed to Service Endpoint

• Advertises use of PHP

• SQL Injection over XML/SOAP

• Attack Surface Area increased

• Full Table Returned in

SOAP Response: 34 Records

OWASP 13
 SQL Injection
XML Gateway Secured

o PHP
o NuSOAP
XML Gateway
Client

Apache MySQL
o Inbound Pattern Detection
o Prevent Outbound Leaks

How to Defend
Deploy XML Gateway
Enable Pattern Scanning IDP Rules
Configure Response Message Size and Complexity Limits

Advantages
Prevent Data Loss
Alert and Quarantine Attempted Breaches
OWASP
14
SQL Injection over XML/SOAP – Sentry Protection Policy

o Pre-built Pattern Matching for SQL

Injection Detection
o Extensible for Business Specific
Requirements

OWASP 15
SQL Injection over SOAP Message – Secured

• Pointed through XML Gateway

• Endpoint Technology Obfuscated

• SQL Injection over XML/SOAP

• SOAP Request Stopped by

XML Gateway

OWASP 16
 XML Web Services
based
Denial of Service Attack

OWASP
17
 Denial of Service
Unsecured

Client

Web Service

How to Attack
Loading Client with Concurrent Simultaneous Threads
Coercive Parsing Attack

Discovered Exposure
Unlimited message flow
Unfair Service SLA distribution
Back-end CPU and I/O Saturation
OWASP
18
Denial of Service – Unsecured

• Multiply Service running on IIS

• Capable of ~700 TPS

• No restrictions on Client

OWASP 19
 Denial of Service
XML Gateway Secured

XML Gateway
Client

Web Service
o Enforce Transaction Rate

How to Defend
Deploy SOA Gateway
Set Allowed Transaction Rates (Group, User, or IP)

Advantages
Message Flow Limited to Specified Rate
Service Throughput Fairly Distributed
Back-end mitigated from CPU and I/O Saturation
OWASP
20
Denial of Service – Sentry Protection Rule

• 20 TPS Restriction Policy

• Granular Enforceability

• Configure Action
• Custom Message

OWASP 21
Denial of Service – Sentry Protection Action

• Action: Abort Processing

• Additional Options: Throttle, Block

• Stealth Mode to suppress data
leaks via responses

• Prevent log flooding

•Quarantine Messages for further analysis

OWASP 22
Denial of Service – Secured

• Request: Multiply a x b sent

through XML Gateway

• 20 TPS Restriction triggered

• Client cannot invoke a DoS
• ~ 680 TPS service capacity remains

OWASP 23
Another Example: Denial of Service through Coercive Parsing

 Echo Request: s= test  Echo Request: s= test

 All responses are successful  well-formed XML  All responses fail  XML not well-formed
 Min 1.20 ms  Min 2.10 ms
 Max 3.50 ms  Max 5.0 ms
 Ave 1.60 ms  Ave 2.73 ms

<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/"> xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/">
<soap:Body> <soap:Body>
<s0:Echo> <s0:Echo>
<s0:s>test</s0:s> <s0:s>test</s0:s>
</s0:Echo> </s0:Echo>
</soap:Body> </soap:Body> Missing “>”
</soap:Envelope> </soap:Envelope

> 70% Degradation by removing one character

OWASP 24
 XML Web Services
Based
XSD Mutation Attack

OWASP
25
 XSD Mutation Attack
Unsecured

Client

Web Service

How to Attack
Obtain WSDL
Derive Message Structure and Types from WSDL Schema
Send SOAP Message Mutations based on Schema

Discovered Exposure
Code Paths not Handled for Exceptions
Stack Traces Returned with Implementation Details
Application Failure
OWASP
26
XSD Mutation Attack – Lifecycle

Run
Attack

Author Vulnerability
Analyze
Attack Results Report
Vectors

Add New
Detection
Libraries

OWASP 27
XSD Mutation: Building Attack Vectors

• Service Loaded from endpoint

• Mutant Messages generated

based on WSDL – XSD
• Data type, structure, size
mutations

OWASP 28
XSD Mutation: Analyze Attack

• Test generated based on WSDL complexity

• Sample Data Value Mutation

• username contains value mutation

• response reveals backend components and method calls

OWASP 29
XSD Mutation: Extend Detection Libraries

• Look for nusoap.php

• High Severity – Open source Parser

• Vulnerability Detection Libraries

• Application/Platform Specific
• Business Specific – SSN, Credit Card

OWASP 30
 XSD Mutation Attack
XML Gateway Secured

XML Gateway
Client

Web Service
o Enforce Inbound Schema Validation
o Prevent Outbound Data Leaks

How to Defend
Deploy XML Gateway
Enforce Inbound Message Structure and Type Validation
Cleanse Outbound Data (Stack Traces, Sensitive Data)

Advantages
Reduce Parser Impact on Web Service
Remove Vendor and Implementation Details in Response
Protect Application Layer Code Paths on Web Service
OWASP
31
XSD Mutation – Sentry Protection Policy

• XML Gateway provides Policies to protect against

XML specific attacks

OWASP 32
XSD Mutation – Secured

1. Deploy Specialized XML Gateways – Packet Firewalls and HTML

Application Firewalls are insufficient

2. Validate XML against a robust schema

3. Tighten Schema: e.g., string  string 2048

1. Enforce XML specific detection rules  e.g., node depth, recursive

payloads

OWASP 33
Best Practices for Countermeasures

Information Control – Outbound Information Control – Inbound

 Restrict SOAP Faults  Tighten Payloads
 Protect Sensitive Information  Enforce SLA
 Audit Transaction Flows  Disallow SQL, Virus, Malicious Code

Use Web Services Penetration Testing Product

 Out of the box Vulnerability Discovery
 Simplified Testing and Diagnostics of Service Endpoint
 Validation of Security Gateway Policies

Deploy XML Web Services Gateway

 Forum Systems Sentry XML Gateway
 Barracuda
 Radware AppXML

Deploy Centralized XML Security

 Enforce Policy Independent of Application Servers and OS Platforms
 Audit and Filter Sensitive Information
 Separate Security from Application Code

34
OWASP
 Learn more @

www.crosschecknet.com
and
www.forumsys.com

OWASP
35