Professional Documents
Culture Documents
OWASP
2
Introduction to XML Threats
SQL Injection
Malware
Denial of Service
Identity Discovery
Explicit Attacks
Forced Disruption Bring Down or Limit Enterprise Service Availability
Information Theft Gain Access to Enterprise Resources
Vendor Discovery Expose Known Traditional Attacks
1..N source IP
Implicit Vulnerability
Perimeter Breach Embedded Virus, Malware
Infrastructure Malfunction Parser and Data Processing Failures
OWASP
New Attack Vectors
Web Service
OWASP
Security Testing - Base Requirements
Security Framework
Sign, Encrypt, Decrypt, SSL
Identity Framework
Basic Auth, SSL Auth, WS-Security Token Auth
Parameter Injection
Database or File Driven
Permutations for Security, Identity, and SOAP/XML
OWASP
5
XML Security Gateway - Base Requirements
Transaction Privacy
• Encryption, Decryption, SSL
Transaction Integrity
• Digital Signature, Signature Verification, Schema Validation
Transaction Accountability
• Archiving, Logging, Reporting, and Monitoring
OWASP
7
XML Web Services
based
SQL Injection Attack
OWASP
8
SQL Injection
Unsecured
o PHP
o NuSOAP
Apache MySQL
How to Attack
Construct SQL Escape Sequences
Construct SQL 1=1 Query
Inject into XML Node values
Discovered Exposure
Sensitive Data Loss
Database Corruption
OWASP
9
SQL Injection
1. What is it?
• SQL injection is a technique that exploits a vulnerability that occurs in the
database layer of an application.
2. Example:
• Good: ‘select * from accounts where username="' . $username . '"' . 'AND
password="' . $password . ’";
3. Attack Vector:
• Old: User input from a browser-based application
OWASP
10
Component Details – MySQL Database
OWASP
11
Component Details – PHP Application
6. Register function as a
Web Service
1. Function: getAccounts()
2. Connect to Database
4. Execute Query
OWASP
12
SQL Injection over SOAP Message – Unsecured
OWASP 13
SQL Injection
XML Gateway Secured
o PHP
o NuSOAP
XML Gateway
Client
Apache MySQL
o Inbound Pattern Detection
o Prevent Outbound Leaks
How to Defend
Deploy XML Gateway
Enable Pattern Scanning IDP Rules
Configure Response Message Size and Complexity Limits
Advantages
Prevent Data Loss
Alert and Quarantine Attempted Breaches
OWASP
14
SQL Injection over XML/SOAP – Sentry Protection Policy
OWASP 15
SQL Injection over SOAP Message – Secured
OWASP 16
XML Web Services
based
Denial of Service Attack
OWASP
17
Denial of Service
Unsecured
Client
Web Service
How to Attack
Loading Client with Concurrent Simultaneous Threads
Coercive Parsing Attack
Discovered Exposure
Unlimited message flow
Unfair Service SLA distribution
Back-end CPU and I/O Saturation
OWASP
18
Denial of Service – Unsecured
OWASP 19
Denial of Service
XML Gateway Secured
XML Gateway
Client
Web Service
o Enforce Transaction Rate
How to Defend
Deploy SOA Gateway
Set Allowed Transaction Rates (Group, User, or IP)
Advantages
Message Flow Limited to Specified Rate
Service Throughput Fairly Distributed
Back-end mitigated from CPU and I/O Saturation
OWASP
20
Denial of Service – Sentry Protection Rule
• Granular Enforceability
• Configure Action
• Custom Message
OWASP 21
Denial of Service – Sentry Protection Action
OWASP 22
Denial of Service – Secured
OWASP 23
Another Example: Denial of Service through Coercive Parsing
OWASP 24
XML Web Services
Based
XSD Mutation Attack
OWASP
25
XSD Mutation Attack
Unsecured
Client
Web Service
How to Attack
Obtain WSDL
Derive Message Structure and Types from WSDL Schema
Send SOAP Message Mutations based on Schema
Discovered Exposure
Code Paths not Handled for Exceptions
Stack Traces Returned with Implementation Details
Application Failure
OWASP
26
XSD Mutation Attack – Lifecycle
Run
Attack
Author Vulnerability
Analyze
Attack Results Report
Vectors
Add New
Detection
Libraries
OWASP 27
XSD Mutation: Building Attack Vectors
OWASP 28
XSD Mutation: Analyze Attack
OWASP 29
XSD Mutation: Extend Detection Libraries
OWASP 30
XSD Mutation Attack
XML Gateway Secured
XML Gateway
Client
Web Service
o Enforce Inbound Schema Validation
o Prevent Outbound Data Leaks
How to Defend
Deploy XML Gateway
Enforce Inbound Message Structure and Type Validation
Cleanse Outbound Data (Stack Traces, Sensitive Data)
Advantages
Reduce Parser Impact on Web Service
Remove Vendor and Implementation Details in Response
Protect Application Layer Code Paths on Web Service
OWASP
31
XSD Mutation – Sentry Protection Policy
OWASP 32
XSD Mutation – Secured
OWASP 33
Best Practices for Countermeasures
34
OWASP
Learn more @
www.crosschecknet.com
and
www.forumsys.com
OWASP
35