pentesting with web services in 2012
DESCRIPTION
This will be a brief discussion on Pen Testing Web Services in 2012, though OWASP have testing guides which describes various methods and tools for performing black box and white box security testing on web services but they’re all outdated. The key points of the presentation will revolve around how to pen test web services, what are the pre-requisites, methodology, tools used, etc.TRANSCRIPT
![Page 1: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/1.jpg)
PEN-TESTING WEB SERVICES IN 2012Ishan Girdhar
![Page 2: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/2.jpg)
Why Attack Web Services? Secondary Attack Vector Ability to pass controls in the application Many developers don’t implement proper
controls Installed outside the protection within the web
application Assumed that only client for a web service is
another application.
![Page 3: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/3.jpg)
Web Services and OSI layers Implemented by adding XML into layer 7
Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of
SMTP. It’s a message envelope and you need to
get a response.
![Page 4: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/4.jpg)
Differences in Web Service Standards Some Developer departure from XML based SOAP to
RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods
(GET,POST,PUT, DELETE) However:
Soap based services are complex for a reason! Many custom applications use them in enterprise applications
Large Services still use SOAP: Amazon EC2, PayPal, Microsoft Azure are few example.
![Page 5: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/5.jpg)
The Web Service Threat Model Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
![Page 6: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/6.jpg)
Web Services State of the Union There are issues with
Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment
Basically, It’s all broken
![Page 7: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/7.jpg)
Penetration testers don’t know what to do with web services
How do you scope? Do you even ask the right scoping
questions? Where do you begin? How Do I test thing?
Automated v/s Manual Testing ? Black v/s Grey v/s white box testing?
![Page 8: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/8.jpg)
Why is the testing methodology broken?
OWASP Web Service Testing Guide v3 It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model
Examples: MiTM, Client Side Storage, Host Based Authentication Testing focused on old technology
Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to
address unique web service requirements.
![Page 9: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/9.jpg)
Current Tools They Suck Mostly Commercial Tools Available. (For Developers, very little security
focus) soupUI, WCF Storm, SOA Cleaner
Very Little Automation Tester’s time spend in configuring tool and getting them running, less
hacking. Minimal Amount of re-usability.
Multiple tools built from ground up Missing features Missing functionality (payloads) Community Support?
![Page 10: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/10.jpg)
Current Tools What happened to Webscarab ? WS-Digger? No SSL? There are other tools but many are hard
to configure or just don’t work properly. SOAP Messages written by Hand (THIS
REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
![Page 11: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/11.jpg)
Webscarab – Web Service Module
![Page 12: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/12.jpg)
WSDigger
![Page 13: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/13.jpg)
WSScanner
![Page 14: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/14.jpg)
What are we using? SoupUI combined with Burp Suite are
Bomb. Still Could be better
There are very good Burp Suite Plugins by Ken Johnson as well:
http://resources.infosecinstitute.com/soap-attack-1/
![Page 15: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/15.jpg)
Screenshots of soupUI & Burp
![Page 16: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/16.jpg)
Screenshots of soupUI & Burp
![Page 17: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/17.jpg)
Screenshots of soupUI & Burp
![Page 18: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/18.jpg)
Lack of testing Environment Ok. Fine. I have understood how to test
Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment ..
Wait, what?
![Page 19: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/19.jpg)
The SOAP Envelope Format
![Page 20: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/20.jpg)
Web Services Fingerprinting Google Hacking for exposed WSDLs
Filetype: asmx Filetype:Jws Filetype:WSDL
Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service
management Interfaces
![Page 21: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/21.jpg)
The Importance of Web Service Management Interfaces
If these interfaces are an attacker could: Control the system that has the web services
deployed. Why bother even testing the web services at this
point?? How about weak and default password?
Most organizations this is their biggest risk Pass-the-Has
Administration Interfaces Axis2 SAP Business Objects 2010 Metasploit module created for this http://spl0it.org/files/talks/base10/demo.txt
![Page 22: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/22.jpg)
Web Services Threat Microsoft Silverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation)
Services Attacker can directly interface with the web services..
Really no need for the client Security Depends on the configuration of the services!
![Page 23: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/23.jpg)
New Web Service Attacks Ws-Attacks.org by Andreas Flakenberg Catalogs most (if not all) attacks for
modern SOAP and BPEL web services SOAP request to web services that
provide content to the web app AJAx, Flash and Microsoft Silverlight add
to the complexity.
![Page 24: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/24.jpg)
New Advancements Client Side applications like Microsoft
Silverlight. Increased complexity with AJAX and flash
implementations Multiple Web services being used within
applications Organization exposing web services for mobile
applications.
![Page 25: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/25.jpg)
BPEL WS-BPEL Web Service Business Execution
Language (BPEL)r Separates the business process from the
implementation logic Usually a white box approach is required
to understand the business login fully.
![Page 26: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/26.jpg)
Scoping a Web Service Pentest Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:
What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full
functionality? There Are MANY more questions. Our White has full list.
![Page 27: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/27.jpg)
Tools soupUI Burp Ws-Attacker For dotnet web services:
WsKnight Ws-digger
![Page 28: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/28.jpg)
Further Resources Real world web services testing for web
hackers By Joshua, Tom and Kevin (Blackhat USA 2011)
Web Service Security Testing Framework By Colin Wong and Daniel Grzelk
Web Services Hacking And Hardening Adam Vincent, Sr. Federal Solutions Architect
![Page 29: Pentesting With Web Services in 2012](https://reader036.vdocuments.us/reader036/viewer/2022062319/5563a4cdd8b42aae0d8b4de4/html5/thumbnails/29.jpg)
Questions …
Presented by:
Ishan GirdharInfosec ConsultantTwitter: ishan_girdhar