Penetration testing using open source tools

Agenda What is SOA and SOAP communication? What are web services? Attacker’s approach

Google HackingUniversal Description Discovery and Integration

(UDDI) Exploiting XML parsers Error Handling Attack simulation Technique & Tools Simulating the attack Conclusion

What is SOA?SOA is similar to building blocks.

Conventionally, the components of an IT industry were tightly rigid, so implementing change was difficult.

With SOA it is easy to assemble, easily reconfigurable.

How SOAP communicates?

What is the meaning of web service? Web service is a server-

oriented system which operates on server side, and performs tasks, when it is called upon by an application. Web service is registered in a web service registry, which an application uses to call specific service it requires.

A web service is not language and platform dependent, it uses XML to communicate with other services or application.

Web service in ActionThe communication starts with the user submitting the data.

1. The application contacts the UDDI to look up the service required to perform this functionality.

UDDI ProviderClient

The UDDI provider creates a binding which associates the message to the service requested, and its location. The UDDI provider then returns a WSDL file to the client, which the application completes as a SOAP message.

Web service in ActionThe Soap message then gets sent to the application server which hosts the web service needed to execute the current operation.

This is done by binding the details in the WSDL file from the UDDI.

Web service in ActionUsing the SOAP instructions, the web services can correctly execute the task according to the parameters it was given, and deliver the processed conversation.

Note: Appending ?wsdl or .wsdl reveals the wsdl file.

http://172.16.125.233/HacmeBank_v2_WS/Install/Install.asmx?WSDL

Attacker’s approach Google hacking

Filetype: wsdlIndexof “wsdl”Inurl: wsdlInurl: asmx (note that asmx is the WSDL equivalent

in ASP.net)

UDDI (Universal Description and Integration): This provides a centralized repository of web

services and their wsdl files. Service providers often post their details using public UDDI’s to discover at run time.

Web Application v/s Web services

WEB APPLICATION WEB SERVICES

1. XSS2. SQL Injection3. Malicious File execution4. Broken Authentication and Session

Management 5. Insecure Direct Object References6. Cross-Site Request Forgery (CSRF) 7. Insecure Cryptographic Storage8. Failure to Restrict URL Access

And many more…..

1. Almost all the attacks that are applicable to web application.

2. Xpath/XML Injection3. LDAP Injection4. Exploiting XML parsers5. Brute forcing

Exploiting XML parser

Document Object Model SAX

Buffer overflow XML Injection

Error handling

Uncaught exceptions within application logic are caught at the SOAP engine and displayed as a SOAP fault element.Defense

○ Ensure all exceptions caught are generic error messages returned with SOAP responses.

○ Suppress exception details from being included in the fault element.

Attack simulation Technique and Tools Foot printing

Discovering the existence of some services relevant to the target.

Discovering the entry points to those respective services.○ Techniques based on the UBR (Universal Business

Register) and UDDI will work○ WSDL scanning and schema poisoning○ Discovery of .wsdl, .jws, .aspx

Tool: wspawn – It does footprint via the UBR(UDDI) inquire API’s. It also does discovery based protocol.

Enumeration○ Service Information○ Port type information○ Operation information

Simulating the attack

DEMO

Other tools

Commercial Tools:WebInspectWSID4ID (Web services interface Definition

for intrusion Defense)

Conclusion We can now attack web services

Any Questions ??

WCF Services/Security