SlideShare una empresa de Scribd logo

Pentesting With Web Services in 2012

Descargar como PPTX, PDF
Ishan Girdhar
Ishan Girdhar

Web services present unique challenges for penetration testing due to their complexity and differences from traditional web applications. There is a lack of standardized testing methodology and tools for web services. Many penetration testers are unsure how to properly scope and test web services. Existing tools have limitations and testing environments must often be built from scratch. A thorough understanding of web service standards and frameworks is needed to effectively test for vulnerabilities from both the client and server side.

Tecnología
1 de 29
PEN-TESTING WEB SERVICES IN 2012 Ishan Girdhar
Why Attack Web Services?  Secondary Attack Vector  Ability to pass controls in the application  Many developers don’t implement proper controls  Installed outside the protection within the web application  Assumed that only client for a web service is another application.
Web Services and OSI layers     Implemented by adding XML into layer 7 Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of SMTP. It’s a message envelope and you need to get a response.
Differences in Web Service Standards    Some Developer departure from XML based SOAP to RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods (GET,POST,PUT, DELETE) However:    Soap based services are complex for a reason! Many custom applications use them in enterprise applications Large Services still use SOAP:  Amazon EC2, PayPal, Microsoft Azure are few example.
The Web Service Threat Model         Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
Web Services State of the Union  There are issues with         Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment Basically, It’s all broken
Penetration testers don’t know what to do with web services     How do you scope? Do you even ask the right scoping questions? Where do you begin? How Do I test thing?  Automated v/s Manual Testing ?  Black v/s Grey v/s white box testing?
Why is the testing methodology broken?  OWASP Web Service Testing Guide v3     It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model   Testing focused on old technology   Examples: MiTM, Client Side Storage, Host Based Authentication Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to address unique web service requirements.
Current Tools   They Suck  Mostly Commercial Tools Available. (For Developers, very little security focus)   Very Little Automation    soupUI, WCF Storm, SOA Cleaner Tester’s time spend in configuring tool and getting them running, less hacking. Minimal Amount of re-usability. Multiple tools built from ground up    Missing features Missing functionality (payloads) Community Support?
Current Tools     What happened to Webscarab ? WS-Digger? No SSL? There are other tools but many are hard to configure or just don’t work properly. SOAP Messages written by Hand (THIS REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
Webscarab – Web Service Module
WSDigger
WSScanner
What are we using?  SoupUI combined with Burp Suite are Bomb.  Still   Could be better There are very good Burp Suite Plugins by Ken Johnson as well: http://resources.infosecinstitute.com/soapattack-1/
Screenshots of soupUI & Burp
Screenshots of soupUI & Burp
Screenshots of soupUI & Burp
Lack of testing Environment    Ok. Fine. I have understood how to test Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment .. Wait, what?
The SOAP Envelope Format
Web Services Fingerprinting  Google Hacking for exposed WSDLs  Filetype: asmx  Filetype:Jws  Filetype:WSDL   Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service management Interfaces
The Importance of Web Service Management Interfaces  If these interfaces are an attacker could:    How about weak and default password?    Control the system that has the web services deployed. Why bother even testing the web services at this point?? Most organizations this is their biggest risk Pass-the-Has Administration Interfaces    Axis2 SAP Business Objects 2010 Metasploit module created for this http://spl0it.org/files/talks/base10/demo.txt
Web Services Threat       Microsoft Silverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation) Services Attacker can directly interface with the web services.. Really no need for the client Security Depends on the configuration of the services!
New Web Service Attacks     Ws-Attacks.org by Andreas Flakenberg Catalogs most (if not all) attacks for modern SOAP and BPEL web services SOAP request to web services that provide content to the web app AJAx, Flash and Microsoft Silverlight add to the complexity.
New Advancements     Client Side applications like Microsoft Silverlight. Increased complexity with AJAX and flash implementations Multiple Web services being used within applications Organization exposing web services for mobile applications.
BPEL     WS-BPEL Web Service Business Execution Language (BPEL)r Separates the business process from the implementation logic Usually a white box approach is required to understand the business login fully.
Scoping a Web Service Pentest    Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:       What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full functionality? There Are MANY more questions. Our White has full list. 
Tools     soupUI Burp Ws-Attacker For dotnet web services:  WsKnight  Ws-digger
Further Resources  Real world web services testing for web hackers  By  Web Service Security Testing Framework  By  Joshua, Tom and Kevin (Blackhat USA 2011) Colin Wong and Daniel Grzelk Web Services Hacking And Hardening  Adam Vincent, Sr. Federal Solutions Architect
Questions … Presented by: Ishan Girdhar Infosec Consultant Twitter: ishan_girdhar

Recomendados

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 

Recomendados

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringIshan Girdhar
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 

Más contenido relacionado

La actualidad más candente

Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 

La actualidad más candente (20)

Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 

Destacado

Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringIshan Girdhar
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Company Profile Security Expert LLC
Company Profile Security Expert LLCCompany Profile Security Expert LLC
Company Profile Security Expert LLCsecexpert
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourCyren, Inc
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning StrategiesPavel Revenkov
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1Anil Kumar M
 
Quotation Proposal
Quotation ProposalQuotation Proposal
Quotation ProposalMax Lee
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Marc Wickenden
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its SecurityMindfire Solutions
 

Destacado (20)

Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Company Profile Security Expert LLC
Company Profile Security Expert LLCCompany Profile Security Expert LLC
Company Profile Security Expert LLC
 
Vtb final
Vtb finalVtb final
Vtb final
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
 
Hollow process injection
Hollow process injectionHollow process injection
Hollow process injection
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
 
Quotation Proposal
Quotation ProposalQuotation Proposal
Quotation Proposal
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
 

Similar a Pentesting With Web Services in 2012

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonAdnan Masood
 
Best And Worst Practices Building Ria with Adobe and Microsoft
Best And Worst Practices Building Ria with Adobe and MicrosoftBest And Worst Practices Building Ria with Adobe and Microsoft
Best And Worst Practices Building Ria with Adobe and MicrosoftJosh Holmes
 
Stateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsStateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsNuno Caneco
 
Mike Taulty MIX10 Silverlight Frameworks and Patterns
Mike Taulty MIX10 Silverlight Frameworks and PatternsMike Taulty MIX10 Silverlight Frameworks and Patterns
Mike Taulty MIX10 Silverlight Frameworks and Patternsukdpe
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Brian Huff
 
Top10waystointegratewithoracleecmbezzo 1222791433931452 9
Top10waystointegratewithoracleecmbezzo 1222791433931452 9Top10waystointegratewithoracleecmbezzo 1222791433931452 9
Top10waystointegratewithoracleecmbezzo 1222791433931452 9MrLynnRClemons
 
The Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise The Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise Kasun Indrasiri
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsShailen Sukul
 
Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Steve Lange
 
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)Folio3 Software
 
Latest Web development technologies 2021
Latest Web development technologies 2021 Latest Web development technologies 2021
Latest Web development technologies 2021SWATHYSMOHAN
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersKim Clark
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Internet applications unit1
Internet applications unit1Internet applications unit1
Internet applications unit1MSc CST
 

Similar a Pentesting With Web Services in 2012 (20)

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
 
Best And Worst Practices Building Ria with Adobe and Microsoft
Best And Worst Practices Building Ria with Adobe and MicrosoftBest And Worst Practices Building Ria with Adobe and Microsoft
Best And Worst Practices Building Ria with Adobe and Microsoft
 
Stateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsStateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystems
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Mike Taulty MIX10 Silverlight Frameworks and Patterns
Mike Taulty MIX10 Silverlight Frameworks and PatternsMike Taulty MIX10 Silverlight Frameworks and Patterns
Mike Taulty MIX10 Silverlight Frameworks and Patterns
 
Lisa
LisaLisa
Lisa
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
 
Top10waystointegratewithoracleecmbezzo 1222791433931452 9
Top10waystointegratewithoracleecmbezzo 1222791433931452 9Top10waystointegratewithoracleecmbezzo 1222791433931452 9
Top10waystointegratewithoracleecmbezzo 1222791433931452 9
 
The Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise The Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning Models
 
Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)
 
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)
 
Twelve factor-app
Twelve factor-appTwelve factor-app
Twelve factor-app
 
Latest Web development technologies 2021
Latest Web development technologies 2021 Latest Web development technologies 2021
Latest Web development technologies 2021
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it matters
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Resume
ResumeResume
Resume
 
Internet applications unit1
Internet applications unit1Internet applications unit1
Internet applications unit1
 

Último

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Pentesting With Web Services in 2012

  • 1. PEN-TESTING WEB SERVICES IN 2012 Ishan Girdhar
  • 2. Why Attack Web Services?  Secondary Attack Vector  Ability to pass controls in the application  Many developers don’t implement proper controls  Installed outside the protection within the web application  Assumed that only client for a web service is another application.
  • 3. Web Services and OSI layers     Implemented by adding XML into layer 7 Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of SMTP. It’s a message envelope and you need to get a response.
  • 4. Differences in Web Service Standards    Some Developer departure from XML based SOAP to RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods (GET,POST,PUT, DELETE) However:    Soap based services are complex for a reason! Many custom applications use them in enterprise applications Large Services still use SOAP:  Amazon EC2, PayPal, Microsoft Azure are few example.
  • 5. The Web Service Threat Model         Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
  • 6. Web Services State of the Union  There are issues with         Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment Basically, It’s all broken
  • 7. Penetration testers don’t know what to do with web services     How do you scope? Do you even ask the right scoping questions? Where do you begin? How Do I test thing?  Automated v/s Manual Testing ?  Black v/s Grey v/s white box testing?
  • 8. Why is the testing methodology broken?  OWASP Web Service Testing Guide v3     It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model   Testing focused on old technology   Examples: MiTM, Client Side Storage, Host Based Authentication Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to address unique web service requirements.
  • 9. Current Tools   They Suck  Mostly Commercial Tools Available. (For Developers, very little security focus)   Very Little Automation    soupUI, WCF Storm, SOA Cleaner Tester’s time spend in configuring tool and getting them running, less hacking. Minimal Amount of re-usability. Multiple tools built from ground up    Missing features Missing functionality (payloads) Community Support?
  • 10. Current Tools     What happened to Webscarab ? WS-Digger? No SSL? There are other tools but many are hard to configure or just don’t work properly. SOAP Messages written by Hand (THIS REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
  • 11. Webscarab – Web Service Module
  • 14. What are we using?  SoupUI combined with Burp Suite are Bomb.  Still   Could be better There are very good Burp Suite Plugins by Ken Johnson as well: http://resources.infosecinstitute.com/soapattack-1/
  • 18. Lack of testing Environment    Ok. Fine. I have understood how to test Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment .. Wait, what?
  • 20. Web Services Fingerprinting  Google Hacking for exposed WSDLs  Filetype: asmx  Filetype:Jws  Filetype:WSDL   Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service management Interfaces
  • 21. The Importance of Web Service Management Interfaces  If these interfaces are an attacker could:    How about weak and default password?    Control the system that has the web services deployed. Why bother even testing the web services at this point?? Most organizations this is their biggest risk Pass-the-Has Administration Interfaces    Axis2 SAP Business Objects 2010 Metasploit module created for this http://spl0it.org/files/talks/base10/demo.txt
  • 22. Web Services Threat       Microsoft Silverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation) Services Attacker can directly interface with the web services.. Really no need for the client Security Depends on the configuration of the services!
  • 23. New Web Service Attacks     Ws-Attacks.org by Andreas Flakenberg Catalogs most (if not all) attacks for modern SOAP and BPEL web services SOAP request to web services that provide content to the web app AJAx, Flash and Microsoft Silverlight add to the complexity.
  • 24. New Advancements     Client Side applications like Microsoft Silverlight. Increased complexity with AJAX and flash implementations Multiple Web services being used within applications Organization exposing web services for mobile applications.
  • 25. BPEL     WS-BPEL Web Service Business Execution Language (BPEL)r Separates the business process from the implementation logic Usually a white box approach is required to understand the business login fully.
  • 26. Scoping a Web Service Pentest    Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:       What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full functionality? There Are MANY more questions. Our White has full list. 
  • 27. Tools     soupUI Burp Ws-Attacker For dotnet web services:  WsKnight  Ws-digger
  • 28. Further Resources  Real world web services testing for web hackers  By  Web Service Security Testing Framework  By  Joshua, Tom and Kevin (Blackhat USA 2011) Colin Wong and Daniel Grzelk Web Services Hacking And Hardening  Adam Vincent, Sr. Federal Solutions Architect
  • 29. Questions … Presented by: Ishan Girdhar Infosec Consultant Twitter: ishan_girdhar