SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
84.550 -
download
5
description
Transcript of SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector
![Page 1: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/1.jpg)
Penetration testing using open source tools
![Page 2: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/2.jpg)
Agenda What is SOA and SOAP communication? What are web services? Attacker’s approach
Google HackingUniversal Description Discovery and Integration
(UDDI) Exploiting XML parsers Error Handling Attack simulation Technique & Tools Simulating the attack Conclusion
![Page 3: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/3.jpg)
What is SOA?SOA is similar to building blocks.
Conventionally, the components of an IT industry were tightly rigid, so implementing change was difficult.
With SOA it is easy to assemble, easily reconfigurable.
![Page 4: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/4.jpg)
How SOAP communicates?
![Page 5: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/5.jpg)
What is the meaning of web service? Web service is a server-
oriented system which operates on server side, and performs tasks, when it is called upon by an application. Web service is registered in a web service registry, which an application uses to call specific service it requires.
A web service is not language and platform dependent, it uses XML to communicate with other services or application.
![Page 6: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/6.jpg)
Web service in ActionThe communication starts with the user submitting the data.
1. The application contacts the UDDI to look up the service required to perform this functionality.
UDDI ProviderClient
The UDDI provider creates a binding which associates the message to the service requested, and its location. The UDDI provider then returns a WSDL file to the client, which the application completes as a SOAP message.
![Page 7: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/7.jpg)
Web service in ActionThe Soap message then gets sent to the application server which hosts the web service needed to execute the current operation.
This is done by binding the details in the WSDL file from the UDDI.
![Page 8: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/8.jpg)
Web service in ActionUsing the SOAP instructions, the web services can correctly execute the task according to the parameters it was given, and deliver the processed conversation.
Note: Appending ?wsdl or .wsdl reveals the wsdl file.
http://172.16.125.233/HacmeBank_v2_WS/Install/Install.asmx?WSDL
![Page 9: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/9.jpg)
Attacker’s approach Google hacking
Filetype: wsdlIndexof “wsdl”Inurl: wsdlInurl: asmx (note that asmx is the WSDL equivalent
in ASP.net)
UDDI (Universal Description and Integration): This provides a centralized repository of web
services and their wsdl files. Service providers often post their details using public UDDI’s to discover at run time.
![Page 10: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/10.jpg)
Web Application v/s Web services
WEB APPLICATION WEB SERVICES
1. XSS2. SQL Injection3. Malicious File execution4. Broken Authentication and Session
Management 5. Insecure Direct Object References6. Cross-Site Request Forgery (CSRF) 7. Insecure Cryptographic Storage8. Failure to Restrict URL Access
And many more…..
1. Almost all the attacks that are applicable to web application.
2. Xpath/XML Injection3. LDAP Injection4. Exploiting XML parsers5. Brute forcing
![Page 11: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/11.jpg)
Exploiting XML parser
Document Object Model SAX
Buffer overflow XML Injection
![Page 12: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/12.jpg)
Error handling
Uncaught exceptions within application logic are caught at the SOAP engine and displayed as a SOAP fault element.Defense
○ Ensure all exceptions caught are generic error messages returned with SOAP responses.
○ Suppress exception details from being included in the fault element.
![Page 13: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/13.jpg)
Attack simulation Technique and Tools Foot printing
Discovering the existence of some services relevant to the target.
Discovering the entry points to those respective services.○ Techniques based on the UBR (Universal Business
Register) and UDDI will work○ WSDL scanning and schema poisoning○ Discovery of .wsdl, .jws, .aspx
Tool: wspawn – It does footprint via the UBR(UDDI) inquire API’s. It also does discovery based protocol.
Enumeration○ Service Information○ Port type information○ Operation information
![Page 14: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/14.jpg)
Simulating the attack
DEMO
![Page 15: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/15.jpg)
Other tools
Commercial Tools:WebInspectWSID4ID (Web services interface Definition
for intrusion Defense)
![Page 16: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/16.jpg)
Conclusion We can now attack web services
![Page 17: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/17.jpg)
Any Questions ??
![Page 18: SOA Architecture & SOAP Protocol Architecture Detail & Attack Vector](https://reader036.fdocuments.net/reader036/viewer/2022062405/5577c7bed8b42ae0418b46b8/html5/thumbnails/18.jpg)
WCF Services/Security