Web services present unique challenges for penetration testing due to their complexity and differences from traditional web applications. There is a lack of standardized testing methodology and tools for web services. Many penetration testers are unsure how to properly scope and test web services. Existing tools have limitations and testing environments must often be built from scratch. A thorough understanding of web service standards and frameworks is needed to effectively test for vulnerabilities from both the client and server side.
2. Why Attack Web Services?
Secondary Attack
Vector
Ability to pass controls in the application
Many developers don’t implement proper controls
Installed outside the protection within the web
application
Assumed that only client for a web service is
another application.
3. Web Services and OSI layers
Implemented by adding XML into layer 7
Applications (HTTP)
SOAP – Simple Object Access Protocol
Think of SOAP like you would think of SMTP.
It’s a message envelope and you need to get a
response.
4. Differences in Web Service
Standards
Some Developer departure from XML based SOAP to
RESTful Services like JSON
REST (Representational State Transfer) use HTTP
Methods (GET,POST,PUT, DELETE)
However:
Soap based services are complex for a reason!
Many custom applications use them in enterprise
applications
Large Services still use SOAP:
Amazon EC2, PayPal, Microsoft Azure are few example.
5. The Web Service Threat Model
Web Service in Transit
Is data being protected in transit?
SSL
What type of authentication is used?
Basic Authentication != Secure
Web Service Engine
Web Service Deployment
Web Service User Code
6. Web Services State of the Union
There are issues with
Scoping
Tools
Testing Process
Methodology
Testing Techniques
Education
Testing Environment
Basically, It’s all broken
7. Penetration testers don’t know what
to do with web services
How do you scope?
Do you even ask the right scoping questions?
Where do you begin?
How Do I test thing?
Automated
v/s Manual Testing ?
Black v/s Grey v/s white box testing?
8. Why is the testing methodology
broken?
OWASP Web Service Testing Guide v3
It’s good for Web Application Testing “in general”
It’s the “Gold Standard”
It’s outdated in regards to web service testing
Missing full coverage based on a complete threat model
Testing focused on old technology
Examples: MiTM, Client Side Storage, Host Based Authentication
Example: No Mention of WCF Services, how to test multiple protocol.
Most Testing Standard uses Grey Box Techniques, Fails to
address unique web service requirements.
9. Current Tools
They Suck
Mostly Commercial Tools Available. (For Developers, very little security
focus)
Very Little Automation
soupUI, WCF Storm, SOA Cleaner
Tester’s time spend in configuring tool and getting them running, less hacking.
Minimal Amount of re-usability.
Multiple tools built from ground up
Missing features
Missing functionality (payloads)
Community Support?
10. Current Tools
What happened to Webscarab ?
WS-Digger? No SSL?
There are other tools but many are hard to
configure or just don’t work properly.
SOAP Messages written by Hand (THIS
REALLY SUCKS!)
~
14 Modules in Metasploit for web services
14. What are we using?
SoupUI combined with Burp Suite are Bomb.
Still
Could be better
There are very good Burp Suite Plugins by
Ken Johnson as well:
http://resources.infosecinstitute.com/soapattack-1/
18. Lack of testing Environment
Ok. Fine. I have understood how to test Web
Services, but where can I test it?
On Production Systems … wait, what?
I’ll build my own testing environment .. Wait,
what?
20. Web Services Fingerprinting
Google Hacking for exposed WSDLs
Filetype:
asmx
Filetype:Jws
Filetype:WSDL
Searches for Microsoft Silverlight XAP Files
Shodan search for exposed web service
management Interfaces
21. The Importance of Web Service
Management Interfaces
If these interfaces are an attacker could:
How about weak and default password?
Control the system that has the web services
deployed.
Why bother even testing the web services at this
point??
Most organizations this is their biggest risk
Pass-the-Has
Administration Interfaces
Axis2 SAP Business Objects
2010 Metasploit module created for this
http://spl0it.org/files/talks/base10/demo.txt
22. Web Services Threat
Microsoft Silverlight
Client Side Applications that can use web services
SOAP or REST
Can we WCF (Windows Communication
Foundation) Services
Attacker can directly interface with the web
services.. Really no need for the client
Security Depends on the configuration of the
services!
23. New Web Service Attacks
Ws-Attacks.org by Andreas Flakenberg
Catalogs most (if not all) attacks for modern
SOAP and BPEL web services
SOAP request to web services that provide
content to the web app
AJAx, Flash and Microsoft Silverlight add to
the complexity.
24. New Advancements
Client Side applications like Microsoft
Silverlight.
Increased complexity with AJAX and flash
implementations
Multiple Web services being used within
applications
Organization exposing web services for mobile
applications.
25. BPEL
WS-BPEL
Web Service Business Execution Language
(BPEL)r
Separates the business process from the
implementation logic
Usually a white box approach is required to
understand the business login fully.
26. Scoping a Web Service Pentest
Pre-Engagement Scoping is CRITICAL!
Not only for pricing but for proper testing
Question such as:
What type of framework bieng used? (WCF, Apache Axis, Zend)
Types of services (SOAP , REST)
What type of data do the web service use?
SOAP Attachment support?
Can you provide multiple SOAP request that show full
functionality?
There Are MANY more questions. Our White has full list.
28. Further Resources
Real world web services testing for web
hackers
By
Web Service Security Testing Framework
By
Joshua, Tom and Kevin (Blackhat USA 2011)
Colin Wong and Daniel Grzelk
Web Services Hacking And Hardening
Adam Vincent, Sr. Federal Solutions Architect