presented by abhishek kamalayagari. basics of web services threats and counter measures security...

Presented byAbhishek Kamalayagari

Basics of web servicesThreats and counter measuresSecurity based on WS-SecuritySecurity based on event logs

What a web service is An application stored on one machine that can

be accessed from another machine A web service has several web methods Three components -service broker -service provider -service requester

Web methods are remotely invoked using a Remote Procedure Call

Does everything using XML Used by a computer so XML

[WebService(Namespace = httptempuriorg)] [WebServiceBinding(ConformsTo = WsiProfilesBasicProfile1_1)] [ToolboxItem(false)] public class add SystemWebServicesWebService

[WebMethod] public string HelloWorld() return Hello World [WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q

web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2) int res = ConvertToInt32(re) TextBox3Text =

resToString()web1web reference name and add-gt web service name

web1add a = new web1add() string op1=TextBox1Text string op2=TextBox2Text string re = aad(op1 op2)

[WebMethod] public string ad(string a string b) int r = ConvertToInt32(a) int s = ConvertToInt32(b) int p = r + s string q = pToString() return q

Soap requestSoap request

Soap responseSoap response

Note Simple Object Access Protocol (SOAP) is an XML message format

Name Abbreviation use

Extensible Mark up Language

XML Language

Universal Discovery Description and Integration

UDDI Discovery

Web services Description Language

WSDL Description

Simple Object Access Protocol

SOAP Request and receive messages

Unauthorized accessParameter manipulationNetwork eavesdroppingDisclosure of configuration dataMessage replay

Unauthorized access vulnerabilities-gtNo authentication used-gtPasswords passed in plaintext in SOAP

headers-gtBasic authentication used over an

unencrypted communication channelCounter measures Use password digests Kerberos tickets

X509 certificates in SOAP headers for authentication

Use Windows authentication Use role-based authorization to restrict

access to web services

Parameter manipulation vulnerabilities

Messages that are not digitally signed

Messages that are not encrypted Counter ProofDigitally sign the messageEncrypt the message payload to

provide privacy

Network eavesdropping vulnerabilities Credentials passed in plaintext in SOAP

headers No message level encryption used No transport level encryption usedCounter measures Use transport level encryption such as SSL

or IPSec This is applicable only if you control both endpoints

Encrypt the message payload to provide privacy This approach works in scenarios where your message travels through intermediary nodes route to the final destination

Disclosure of configuration data vulnerabilities

Unrestricted WSDL files available for download from the Web server

A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics

Weak exception handling

Counter measures Authorize access to WSDL files using

NTFS permissions Remove WSDL files from Web server Disable the documentation protocols to

prevent the dynamic generation of WSDL Capture exceptions and throw

a SoapException or SoapHeaderException mdash that returns only minimal and harmless information mdash back to the client

Message replay vulnerabilities Messages are not encrypted Messages are not digitally signed to prevent

tampering Duplicate messages are not detected because no

unique message ID is usedCommon types of message replay attacks Basic replay attack The attacker captures and

copies a message and then replays the same message and impersonates the client This replay attack does not require the malicious user to know the contents of the message

Man in the middle attack The attacker captures the message and then changes some of its contents for example a shipping address and then replays it to the Web service

Counter measures Use an encrypted communication

channel for example SSL Encrypt the message payload to provide

message Although this does not prevent basic replay attacks it does prevent man in the middle attacks where the message contents are modified before being replayed

Use a unique message ID or nonce with each request to detect duplicates and digitally sign the message to provide tamperproofing

Authentication requirementsPrivacy and integrity

requirementsResource access identitiesCode access security

Web methods can accept strongly typed or weakly typed parameters

Strong parameters have type description by XSD schema

Consumers use this information to access web services

SystemXmlSerializationXmlSerializer class is used to convert soap messages to CLR objects

Sql injection can be counter attacked by input validation

Example [WebMethod] public void CreateEmployee(string

name int age decimal salary) Example of custom object data types using Employees Custom namespace [WebMethod] public void CreateEmployee(Employee emp) If consumer is a net client thenusing Employees Employee emp = new Employee() Populate Employee fields Send Employee to the Web service wsProxyCreateEmployee(emp) ElseConstruct XML input manually

Loosely typed parametersEg string parameters or byte arrays auto-generated WSDL simply describes the parameters as

string input of type xsdstring type length format and range [WebMethod] public void SomeEmployeeFunction(string

dateofBirth string SSN) EXAMPLE 1 Type check the date try DateTime dt = DateTimeParse(dateofBirth)Date If the type conversion fails a FormatException is thrown catch( FormatException ex ) Invalid date EXAMPLE 2 Check social security number for length

format and range if( RegexIsMatch(empSSNd3-d2-

d4RegexOptionsNone)) Invalid social security number

Web method can use the SystemXmlXmlValidatingReader class to validate the input data

using SystemXml using SystemXmlSchema [WebMethod] public void OrderBooks(string xmlBookData) try Create and load a validating reader XmlValidatingReader reader = new XmlValidatingReader(xmlBookData

XmlNodeTypeElement null) Attach the XSD schema to the reader readerSchemasAdd(urnbookstore-schema

httplocalhostWSBooksbookschemaxsd) Set the validation type for XSD schema XDR schemas and DTDs are also supported readerValidationType = ValidationTypeSchema Create and register an event handler to handle validation errors readerValidationEventHandler += new

ValidationEventHandler( ValidationErrors ) Process the input data while (readerRead()) Validation completed successfully catch Validation error event handler private static void ValidationErrors(object sender ValidationEventArgs args)

Error details available from argsMessage

Consumer calls it this way string xmlBookData = ltbook

xmlns=urnbookstore-schema xmlnsxsi=httpwwww3org2001XMLSchema-instancegt + lttitlegtBuilding Secure ASPNET Applicationslttitlegt + ltisbngt0735618909ltisbngt + ltorderQuantitygt1ltorderQuantitygt + ltbookgt

BookStoreBookService bookService = new BookStoreBookService() bookServiceOrderBooks(xmlBookData))

XSD schema ltxml version=10 encoding=utf-8 gt

ltxsdschema xmlnsxsd=httpwwww3org2001XMLSchema xmlns=urnbookstore-schema elementFormDefault=qualified targetNamespace=urnbookstore-schemagt ltxsdelement name=book type=bookDatagt ltxsdcomplexType name=bookDatagt ltxsdsequencegt ltxsdelement name=title type=xsdstring gt ltxsdelement name=isbn type=xsdinteger gt ltxsdelement name=orderQuantity type=xsdintegergt ltxsdsequencegt ltxsdcomplexTypegt ltxsdschemagt

Regular expressions ltxsdelement name=zipgt

ltxsdsimpleTypegt ltxsdrestriction base=xsdstringgt ltxsdpattern value=d5(-d4) gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt

Decimal value to 2 digits ltxsdelement name=Salarygt

ltxsdsimpleTypegt ltxsdrestriction base=xsddecimalgt ltxsdfractionDigits value=2 gt ltxsdrestrictiongt ltxsdsimpleTypegt ltxsdelementgt

User name and password ltwsseSecurity

xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseUsernameTokengt ltwsseUsernamegtBobltwsseUsernamegt ltwssePasswordgtYourStr0ngPassWordltwssePasswordgt ltwsseUsernameTokengt ltwsseSecuritygt

Username and password digestThe digest is a Base64-encoded SHA1 hash value

of the UTF8-encoded password digest = SHA1(nonce + creation timestamp +

password)Kerboros ticketsltwsseSecurity

xmlnswsse=httpschemasxmlsoaporgws200212secextgt ltwsseBinarySecurityToken ValueType=wsseKerberosv5ST EncodingType=wsseBase64Binarygt U87GGH91TT ltwsseBinarySecurityTokengt ltwsseSecuritygt

X509 certificatesltwsseSecurity


Web service end point authorization-can use urlauthorization to control access

to asmx files Web method authorizationUse declarative principal permission

demands[PrincipalPermission(SecurityActionDemand

Role=Manager)] [WebMethod] public string QueryEmployeeDetails(string

empID)

Digitally signing a soap messagehttpmsdnmicrosoftcomen-us

libraryms824659aspxDisabling auto generation of wsdl

ltwebServicesgt ltprotocolsgt ltadd name=HttpSoapgt lt-- ltadd name=Documentationgt --gt ltprotocolsgt ltwebServicesgt

Asymmetric encryption using X509 certificates

Symmetric encryption using shared keys

Symmetric encryption using custom binary tokens

Bad example SystemException User not in managers

role at EmployeeServiceemployeeGiveBonus(Int32 empID Int32 percentage) in cinetpubwwwrootemployeesystememployeeasmxcsline 207

Web services can throw 3 types of exceptions

SoapExceptionSoapHeaderExceptionException (DivisionByZeroArgumentOut

OfRange)

Good example try EmployeeService service = new

EmployeeService() ServiceGiveBonus(empIDpercentage)

catch

(SystemWebServicesProtocolsSoapException se) Extract custom message from seDetailInnerText ConsoleWriteLine(Server threw a soap exception + seDetailInnerText )

Log exceptions in the event logEvent typesInformationWarningErrorSuccess AuditFailure Audit

Example [WebMethod] public void DivideNumbers(int intNumerator int intDenominator) double dResult try dResult = intNumerator intDenominator catch (Exception e) Write to Event Log WriteToEventLog(eMessage

EventLogEntryTypeError)

Method to write to the Event Log ltsummarygt Method to write to the Event Log ltsummarygt ltparam name=strLogEntrygtThe message to be loggedltparamgt ltparam name=eTypegtEvent Log Typeltparamgt private void WriteToEventLog(string strLogEntry EventLogEntryType eType) string strSource = Division Web Service name of the source string strLogType = Application type of the log string strMachine = machine name if (EventLogSourceExists(strSource strMachine)) EventLogCreateEventSource(strSource strLogType strMachine) EventLog eLog = new EventLog(strLogType strMachine strSource) eLogWriteEntry(strLogEntry eType 1000)

Result of writeToEventLog could be one of the following

EventLogEntryTypeErrorEventLogEntryTypeFailureAuditEventLogEntryTypeInformationEventLogEntryTypeSuccessAuditEventLogEntryTypeWarning

SystemSecuritySecurityException will be thrown when we try to make an entry in to the log

Problem is no event source found 2 approaches to solve the problem a) 1 Click Start -gt Run type regedit 2 Locate the registry subkey HKEY_LOCAL_MACHINESYSTEM

CurrentControlS etServicesEventlogApplication 3 Right-click the Application subkey point to

New and then click Key 4 Type Division Web Service for the key name 5 Close Registry Editor

b) using the EventLogInstaller class in SystemDiagnostics namespace

Listing 3 Event Log Installer using System using SystemDiagnostics using SystemComponentModel using SystemConfigurationInstall namespace EventLogSourceInstaller [RunInstaller(true)] public class MyEventLogInstaller Installer private EventLogInstaller myEventLogInstaller public MyEventLogInstaller() Create Instance of EventLogInstaller myEventLogInstaller = new EventLogInstaller() Set the Source of Event Log to be created myEventLogInstallerSource = ldquoDivision Web sevicesrdquo Set the Log that source is created in myEventLogInstallerLog = ldquoApplicationrdquo Add myEventLogInstaller to the Installers Collection InstallersAdd(myEventLogInstaller)

WS-Security is the emerging standard for Web services security The specification defines options for authentication by passing security tokens in a standard way using SOAP headers Tokens can include user name and password credentials Kerberos tickets X509 certificates or custom tokens WS-Security also addresses message privacy and integrity issues

Event logging this security strategy work out with Windows NT windows 2000 windows XP

and windows Vista In the future additional research

work needs to be carried out to implement the same concept in

different platform to prevent the system with invalid access

httpmsdnmicrosoftcomen-uslibraryff648643aspx

httpresearchmicrosoftcomenusprojectssamoawebservicesandsecuritypdf

httpwww15secondscomissue010430htm

1048708 httpwwwlucademoncouk 1048708 httpwwwhannesmaraiscom httpieeexploreieeeorgstamp

stampjsptp=amparnumber=4735939

Basics of web servicesThreats and counter measuresSecurity based on WS-SecuritySecurity based on event logs
















XML Language


UDDI Discovery


WSDL Description













provide privacy































































empID)











OfRange)



catch







































XML Language


UDDI Discovery


WSDL Description













provide privacy































































empID)











OfRange)



catch


































provide privacy































































empID)











OfRange)



catch






















































































empID)











OfRange)



catch


































OfRange)



catch


























catch
























presented by abhishek kamalayagari. basics of web services threats and counter measures security...

Documents

string b

string op1

text string op2

restricted web service

xml message format slide

web server

event logs slide

abhishek kamalayagari