SlideShare une entreprise Scribd logo

Séminaire Web Services

e-Xpert Solutions SA
e-Xpert Solutions SA

Séminaire e-Xpert Solutions : Que sont les Web Services et comment les sécuriser ? Que sont les Web Services ? Comment sécuriser les Web Services ? Rappels sur Bee-Ware V5 i-Suite XML Firewall module Démonstration de manipulation des flux XML Démonstration d’attaque sur un Web Service

Technologie
1  sur  85
LES WEB SERVICES ET LEUR SECURITÉ
SÉMINAIRE SECURITÉ LES WEB SERVICES ET LEUR SECURITÉ
QUE SONT LES WEB SERVICES ?
WEB SERVICES Définition
DÉFINITION - SOA
DÉFINITION - WEB SERVICES • •
DÉFINITION - WEB SERVICES • • • •
EXEMPLE D’ARCHITECTURE
WEB SERVICES Web Services Registry Web Service Web Services Provider Client
WEB SERVICES
WEB SERVICES
COMPOSANTS •Extensible Markup Language XML •A uniform data representation and exchange mechanism. •Universal Description, Discovery, and Integration UDDI •A mechanism to register and locate WS based application. •Web Services Description Language WSDL •A standard meta language to described the services offered. SOAP •Simple Object Access Protocol •A standard way for communication. SAML •XML-based open standard for exchanging authentication and authorization data between security domains
XML
XML VS HTML <html> <body> <h2>John Doe</h2 <p>2 Backroads Lane<br> New York<br> 045935435<br> john.doe@gmail.com<br> </p> </body> </html>
XML VS HTML <?xml version=1.0?> <contact> <name>John Doe</name> <address>2 Backroads Lane</address> <country>New York</country> <phone>045935435</phone> <email>john.doe@gmail.com</email> </contact>
WSDL
WEB SERVICE DESCRIPTION LANGUAGE • • •    
WEB SERVICE DESCRIPTION LANGUAGE <message name="GetStockPriceRequest"> <part name="stock" type="xs:string"/> </message> <message name="GetStockPriceResponse"> <part name="value" type="xs:string"/> </message> <portType name=“StocksRates"> <operation name=“GetStockPrice"> <input message=“GetStockPriceRequest"/> <output message=“GetStockPriceResponse"/> </operation> </portType>
SOAP
SIMPLE OBJECT ACCESS PROTOCOL • • • •  
SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformation> <AirportIdentifier>N99</AirportIdentifier> </GetAirportInformation> </soap:Body> </soap:Envelope>
SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformationResponse> <GetAirportInformationResult> <Name>Brandywine Airport</Name> <Location>West Chester, PA</Location> <Length unit="feet">3347</Length> </GetAirportInformationResult> </GetAirportInformationResponse> </soap:Body> </soap:Envelope>
SAML
SECURITY ASSERTION MARKUP LANGUAGE (SAML)
SAML
COMMENT SÉCURISER LES WEB SERVICES ?
POURQUOI SÉCURISER CES FLUX ?
LES RISQUES
ATTEINTE À LA RÉPUTATION • • • • •
FUITE D’INFORMATION • • • • • •
DENI DE SERVICE •    • •
NON RESPECT DES SLAs • • • • • •
FAIL !!!
PRINCIPALES ATTAQUES
LES TYPES D’ATTAQUE XML-Based • Utilise les faiblesses du langage XML (ex: entity expansion) Bugs in back- • Beaucoup de technologies utilisées impliquent un risque de bug élevé. end systems Code • Les attaques XML injection sont simples à entreprendre. Ce sont les attaques les plus répandues. Injection Denial of • Flux important de messages, envoi de centaines d’éléments encryptés peuvent mettre à mal un système complet et Service affecter les SLAs. Man in the • Les messages peuvent être interceptés. Ceci pose des soucis de routage des messages et également d’intégrité. Middle
ATTAQUE XML : ENTITY EXPANSION <!DOCTYPE foo [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > <!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > <!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > <!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > <!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > <!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > <!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > <!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > <!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]> <foo>&m;</foo>
ATTAQUE XML : XML ATTRIBUTE BLOWUP <?xml version="1.0"?> <foo a1="" a2="" ... a10000="" />
DENI DE SERVICE Directement sur le Service SOAP <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:Login> <tem:loginID> John Doe<a1>….</a1> </tem:loginID> <tem:password> muahahah </tem:password> </tem:Login> </soapenv:Body> </soapenv:Envelope> Via le Portail HTML Frontal Web WS de gestion des comptes Login: John Doe <a1>…</a1> Password: ********
ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> <user> <uname>janedoe</uname> <pwd>an0n</pwd> <uid>500<uid/> <mail>janedoe@example2.com</mail> </user> </users> Username: alice Password: iluvbob E-mail: alice@example3.com</mail></user><user><uname>Hacker</uname> <pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail>
ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> …… <user> <uname>Alice</uname> <pwd>iluvbob</pwd> <uid>501<uid/> <mail>alice@example3.com</mail> </user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid> <mail>hacker@example_evil.net</mail> </user> </users>
INJETION Xpath • Authentification basée sur l’expression: //user[name='$login' and pass='$pass']/account/text() • Injection $login = whatever' or '1'='1' or 'a'='b $pass = whatever • Exploitation de la précédence de l’opérateur AND • L’expression devient //user[name='whatever' or '1'='1' or 'a'='b' and pass=‘whatever']/account/text() = TRUE TRUE OR FALSE
WEB SERVICES COMMENT SÉCURISER CES FLUX ?
LES QUESTIONS À SE POSER • • • • • •
COMMENT SE PROTÉGER ? Message integrity (signature) • Ensure message integrity. Support for XML Signature. Message confidentiality (encryption) • Ensure end-to-end data privacy. Support for both SSL and XML. Encryption are essential. Authentication (SAML) • Verifying the identity of the requestor. Access Control (SAML) • Ensuring that the requestor has appropriate access to the resource. Schema Validation (WSDL) • Ensuring intergrity of the structure and content of the message. Security Standards (WS-Security) • Supporting standards based security functions such as WS-Security. Malicious attack protection (Black List) • Supporting protection against the lastest Web Services and XML-Based attacks.
WS-SECURITY WS-Trust WS-Federation LibertyAlliance Trust relationships XKMS SAML WS-Policy SOAP WS-Security WS-Reliability Access XACML SAML XML Encryption Implémentations les plus XML courantes XML Signature HTTP HTTP Auth Sécurité habituelle des applications Web TCP SSL / TLS IP IPSec
WS-SECURITY <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <soap:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> ... </ds:Signature> </wsse:Security> </soap:Header> <soap:Body id="MsgBody"> ... </soap:Body> </soap:Envelope>
WEB SERVICES UNE SOLUTION : LE PAREFEU APPLICATIF
FIREWALL APPLICATIF VS FIREWALL XML PARE-FEU APPLICATIF Détection PARE-FEU XML d’attaques Détection propres aux d’attaques Détection applications communes : d’attaques propres aux SQL injection, services web XSS, etc. (WSDL, …)
PROBLÉMATIQUE DES FIREWALLS STANDARDS X X
PROBLÉMATIQUE DES FIREWALLS STANDARDS
WEB APPLICATION FIREWALL Legitimate Traffic Malicious Application Activity Internet Application Floods Network Attacks & Floods Not allowed Services
WAF - POSITIONNEMENT
PRINCIPALES FONCTIONNALITÉS D’UN FIREWALL XML
SON FONCTIONNEMENT TECHNIQUE
PETIT DÉJEUNER SÉCURITÉ
BEE-WARE V5 • • • •
MANAGEMENT CENTRALISÉ • • • • ʼ • •
TRAITEMENT DES FLUX PAR WORKFLOW • • • •
FIREWALL APPLICATIF • • •
FIREWALL APPLICATIF (SUITE) • • • •
PRINCIPE DU REVERSE PROXY DANS i-Suite
LA TECHNOLOGIE MISE À PART
i-Suite XML FIREWALL MODULE
i-Suite XML FIREWALL MODULE
XML FIREWALL MODULE SPÉCIFICATIONS
TRAITEMENT & SÉCURITÉ
TRAITEMENT & SÉCURITÉ
LE MARCHÉ – ACTEURS PRINCIPAUX ET CHALLENGERS
DÉMO DE MANIPULATION D’UN FLUX XML
DÉMO DE MANIPULATION D’UN FLUX XML
MESSAGE SOAP SOURCE
SOAP MESSAGE SIGNATURE + HEADER INSERTION
SOAP BODY ENCRYPTION (doGoogleSearchResponse)
SOAP BODY UNENCRYPTION
SOAP MESSAGE SIGNATURE VALIDATION
VALIDATION DU SHÉMA WSDL <?xml version="1.0" encoding="utf-8"?> <nomComplet>Prenom Nom</nomComplet> <?xml version="1.0" encoding="ISO-8859-1"?> <nomComplet>Prenom <b> Nom </b></nomComplet>
DLP MISSION IMPOSSIBLE ?
PETIT DÉJEUNER SÉCURITÉ
CONTEXTE • •
L’INFRASTRUCTURE
CINÉMATIQUE
REQUÊTES • • •
DÉMO SÉCURITÉ DES WEBSERVICES
CONCLUSION • • •
QUESTIONS ?

Recommandé

HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference ZürichHTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
Robert Nyman
 
Fundamental JQuery
Fundamental JQueryFundamental JQuery
Fundamental JQuery
Achmad Solichin
 
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile EventHTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
Robert Nyman
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
Brandon Dove
 
New text document
New text documentNew text document
New text document
singaqq
 
WordPress Admin UI - Future Proofing Your Admin Pages
WordPress Admin UI - Future Proofing Your Admin PagesWordPress Admin UI - Future Proofing Your Admin Pages
WordPress Admin UI - Future Proofing Your Admin Pages
Brandon Dove
 
Whirlwind Tour of SVG (plus RaphaelJS)
Whirlwind Tour of SVG (plus RaphaelJS)Whirlwind Tour of SVG (plus RaphaelJS)
Whirlwind Tour of SVG (plus RaphaelJS)
Marc Grabanski
 
User Interface Patterns and Nuxeo
User Interface Patterns and NuxeoUser Interface Patterns and Nuxeo
User Interface Patterns and Nuxeo
anicewick
 

Recommandé

HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference ZürichHTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
HTML5 and CSS3 – exploring mobile possibilities - Frontend Conference Zürich
Robert Nyman
 
Fundamental JQuery
Fundamental JQueryFundamental JQuery
Fundamental JQuery
Achmad Solichin
 
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile EventHTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
HTML5 and CSS3: Exploring Mobile Possibilities - London Ajax Mobile Event
Robert Nyman
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
Brandon Dove
 
New text document
New text documentNew text document
New text document
singaqq
 
WordPress Admin UI - Future Proofing Your Admin Pages
WordPress Admin UI - Future Proofing Your Admin PagesWordPress Admin UI - Future Proofing Your Admin Pages
WordPress Admin UI - Future Proofing Your Admin Pages
Brandon Dove
 
Whirlwind Tour of SVG (plus RaphaelJS)
Whirlwind Tour of SVG (plus RaphaelJS)Whirlwind Tour of SVG (plus RaphaelJS)
Whirlwind Tour of SVG (plus RaphaelJS)
Marc Grabanski
 
User Interface Patterns and Nuxeo
User Interface Patterns and NuxeoUser Interface Patterns and Nuxeo
User Interface Patterns and Nuxeo
anicewick
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
Marko Elezović
 
Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)
Mehul Boricha
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Web-Services!.pptx
Web-Services!.pptxWeb-Services!.pptx
Web-Services!.pptx
ssuserae0316
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
Katrien Verbert
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
 
The hypermedia api
The hypermedia apiThe hypermedia api
The hypermedia api
Inviqa
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
XMPP In Real Time
XMPP In Real TimeXMPP In Real Time
XMPP In Real Time
guest488a24
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA Security
WSO2
 
Secured SOA
Secured SOASecured SOA
Secured SOA
Prabath Siriwardena
 
Lets have some fun with twilio open tok
Lets have some fun with twilio open tokLets have some fun with twilio open tok
Lets have some fun with twilio open tok
mirahman
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
www.netgains.org
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
2015 ZendCon - Do you queue
2015 ZendCon - Do you queue2015 ZendCon - Do you queue
2015 ZendCon - Do you queue
Mike Willbanks
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
Event e-Xpert Solutions et Tufin - 28 mars 2019
Event e-Xpert Solutions et Tufin - 28 mars 2019Event e-Xpert Solutions et Tufin - 28 mars 2019
Event e-Xpert Solutions et Tufin - 28 mars 2019
e-Xpert Solutions SA
 
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018 Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
e-Xpert Solutions SA
 

Contenu connexe

Similaire à Séminaire Web Services

The hypermedia api
The hypermedia apiThe hypermedia api
The hypermedia api
Inviqa
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA Security
WSO2
 
Lets have some fun with twilio open tok
Lets have some fun with twilio open tokLets have some fun with twilio open tok
Lets have some fun with twilio open tok
mirahman
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

Similaire à Séminaire Web Services (20)

Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
 
Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)
Simple Object Access Protocol (SOAP)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web-Services!.pptx
Web-Services!.pptxWeb-Services!.pptx
Web-Services!.pptx
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
The hypermedia api
The hypermedia apiThe hypermedia api
The hypermedia api
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
XMPP In Real Time
XMPP In Real TimeXMPP In Real Time
XMPP In Real Time
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA Security
 
Secured SOA
Secured SOASecured SOA
Secured SOA
 
Lets have some fun with twilio open tok
Lets have some fun with twilio open tokLets have some fun with twilio open tok
Lets have some fun with twilio open tok
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
2015 ZendCon - Do you queue
2015 ZendCon - Do you queue2015 ZendCon - Do you queue
2015 ZendCon - Do you queue
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 

Plus de e-Xpert Solutions SA

Plus de e-Xpert Solutions SA (20)

Event e-Xpert Solutions et Tufin - 28 mars 2019
Event e-Xpert Solutions et Tufin - 28 mars 2019Event e-Xpert Solutions et Tufin - 28 mars 2019
Event e-Xpert Solutions et Tufin - 28 mars 2019
 
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018 Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
Présentation d'e-Xpert Solutions et F5 Networks - Event Oct 2018
 
Mise en place d'un Use Case d'Adaptive Authentication avec F5 APM et Insight ...
Mise en place d'un Use Case d'Adaptive Authentication avec F5 APM et Insight ...Mise en place d'un Use Case d'Adaptive Authentication avec F5 APM et Insight ...
Mise en place d'un Use Case d'Adaptive Authentication avec F5 APM et Insight ...
 
Présentation de nos MVP - F5 devCentral - Event 09-10-18
Présentation de nos MVP - F5 devCentral - Event 09-10-18Présentation de nos MVP - F5 devCentral - Event 09-10-18
Présentation de nos MVP - F5 devCentral - Event 09-10-18
 
2018-08_Présentation Corporate
2018-08_Présentation Corporate2018-08_Présentation Corporate
2018-08_Présentation Corporate
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
 
2018 06 nouvelles APIs checkpoint e-Xpert solutions
2018 06 nouvelles APIs checkpoint e-Xpert solutions2018 06 nouvelles APIs checkpoint e-Xpert solutions
2018 06 nouvelles APIs checkpoint e-Xpert solutions
 
2018 06 Demo Checkpoint et Splunk e-Xpert solutions
2018 06 Demo Checkpoint et Splunk e-Xpert solutions2018 06 Demo Checkpoint et Splunk e-Xpert solutions
2018 06 Demo Checkpoint et Splunk e-Xpert solutions
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
 
Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014
 
Séminaire Evolution de la Mobilité - Subir ou gérer ?
Séminaire Evolution de la Mobilité - Subir ou gérer ?Séminaire Evolution de la Mobilité - Subir ou gérer ?
Séminaire Evolution de la Mobilité - Subir ou gérer ?
 
Le DLP vu sous un angle pragmatique
Le DLP vu sous un angle pragmatiqueLe DLP vu sous un angle pragmatique
Le DLP vu sous un angle pragmatique
 
Plus de mobilité ! Moins de sécurité ?
Plus de mobilité ! Moins de sécurité ?Plus de mobilité ! Moins de sécurité ?
Plus de mobilité ! Moins de sécurité ?
 
DDoS, la nouvelle arme des hackers
DDoS, la nouvelle arme des hackersDDoS, la nouvelle arme des hackers
DDoS, la nouvelle arme des hackers
 
Sandboxing, une nouvelle défense contre les menaces intelligentes
Sandboxing, une nouvelle défense contre les menaces intelligentesSandboxing, une nouvelle défense contre les menaces intelligentes
Sandboxing, une nouvelle défense contre les menaces intelligentes
 
Evolution du paysage sécurité
Evolution du paysage sécuritéEvolution du paysage sécurité
Evolution du paysage sécurité
 
Partie III – APM Application Policy Manager
Partie III – APM Application Policy ManagerPartie III – APM Application Policy Manager
Partie III – APM Application Policy Manager
 
Partie II – ASM Application Security Manager
Partie II – ASM Application Security ManagerPartie II – ASM Application Security Manager
Partie II – ASM Application Security Manager
 
Partie I – Décodage technologie ADN
Partie I – Décodage technologie ADNPartie I – Décodage technologie ADN
Partie I – Décodage technologie ADN
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Séminaire Web Services

  • 1. LES WEB SERVICES ET LEUR SECURITÉ
  • 2. SÉMINAIRE SECURITÉ LES WEB SERVICES ET LEUR SECURITÉ
  • 3. QUE SONT LES WEB SERVICES ?
  • 6. DÉFINITION - WEB SERVICES • •
  • 7. DÉFINITION - WEB SERVICES • • • •
  • 9. WEB SERVICES Web Services Registry Web Service Web Services Provider Client
  • 12. COMPOSANTS •Extensible Markup Language XML •A uniform data representation and exchange mechanism. •Universal Description, Discovery, and Integration UDDI •A mechanism to register and locate WS based application. •Web Services Description Language WSDL •A standard meta language to described the services offered. SOAP •Simple Object Access Protocol •A standard way for communication. SAML •XML-based open standard for exchanging authentication and authorization data between security domains
  • 13. XML
  • 14. XML VS HTML <html> <body> <h2>John Doe</h2 <p>2 Backroads Lane<br> New York<br> 045935435<br> john.doe@gmail.com<br> </p> </body> </html>
  • 15. XML VS HTML <?xml version=1.0?> <contact> <name>John Doe</name> <address>2 Backroads Lane</address> <country>New York</country> <phone>045935435</phone> <email>john.doe@gmail.com</email> </contact>
  • 16. WSDL
  • 17. WEB SERVICE DESCRIPTION LANGUAGE • • •    
  • 18. WEB SERVICE DESCRIPTION LANGUAGE <message name="GetStockPriceRequest"> <part name="stock" type="xs:string"/> </message> <message name="GetStockPriceResponse"> <part name="value" type="xs:string"/> </message> <portType name=“StocksRates"> <operation name=“GetStockPrice"> <input message=“GetStockPriceRequest"/> <output message=“GetStockPriceResponse"/> </operation> </portType>
  • 19. SOAP
  • 20. SIMPLE OBJECT ACCESS PROTOCOL • • • •  
  • 21. SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformation> <AirportIdentifier>N99</AirportIdentifier> </GetAirportInformation> </soap:Body> </soap:Envelope>
  • 22. SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformationResponse> <GetAirportInformationResult> <Name>Brandywine Airport</Name> <Location>West Chester, PA</Location> <Length unit="feet">3347</Length> </GetAirportInformationResult> </GetAirportInformationResponse> </soap:Body> </soap:Envelope>
  • 23. SAML
  • 24. SECURITY ASSERTION MARKUP LANGUAGE (SAML)
  • 25. SAML
  • 26. COMMENT SÉCURISER LES WEB SERVICES ?
  • 29. ATTEINTE À LA RÉPUTATION • • • • •
  • 30. FUITE D’INFORMATION • • • • • •
  • 31. DENI DE SERVICE •    • •
  • 32. NON RESPECT DES SLAs • • • • • •
  • 35. LES TYPES D’ATTAQUE XML-Based • Utilise les faiblesses du langage XML (ex: entity expansion) Bugs in back- • Beaucoup de technologies utilisées impliquent un risque de bug élevé. end systems Code • Les attaques XML injection sont simples à entreprendre. Ce sont les attaques les plus répandues. Injection Denial of • Flux important de messages, envoi de centaines d’éléments encryptés peuvent mettre à mal un système complet et Service affecter les SLAs. Man in the • Les messages peuvent être interceptés. Ceci pose des soucis de routage des messages et également d’intégrité. Middle
  • 36. ATTAQUE XML : ENTITY EXPANSION <!DOCTYPE foo [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > <!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > <!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > <!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > <!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > <!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > <!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > <!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > <!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]> <foo>&m;</foo>
  • 37. ATTAQUE XML : XML ATTRIBUTE BLOWUP <?xml version="1.0"?> <foo a1="" a2="" ... a10000="" />
  • 38. DENI DE SERVICE Directement sur le Service SOAP <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:Login> <tem:loginID> John Doe<a1>….</a1> </tem:loginID> <tem:password> muahahah </tem:password> </tem:Login> </soapenv:Body> </soapenv:Envelope> Via le Portail HTML Frontal Web WS de gestion des comptes Login: John Doe <a1>…</a1> Password: ********
  • 39. ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> <user> <uname>janedoe</uname> <pwd>an0n</pwd> <uid>500<uid/> <mail>janedoe@example2.com</mail> </user> </users> Username: alice Password: iluvbob E-mail: alice@example3.com</mail></user><user><uname>Hacker</uname> <pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail>
  • 40. ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> …… <user> <uname>Alice</uname> <pwd>iluvbob</pwd> <uid>501<uid/> <mail>alice@example3.com</mail> </user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid> <mail>hacker@example_evil.net</mail> </user> </users>
  • 41. INJETION Xpath • Authentification basée sur l’expression: //user[name='$login' and pass='$pass']/account/text() • Injection $login = whatever' or '1'='1' or 'a'='b $pass = whatever • Exploitation de la précédence de l’opérateur AND • L’expression devient //user[name='whatever' or '1'='1' or 'a'='b' and pass=‘whatever']/account/text() = TRUE TRUE OR FALSE
  • 42. WEB SERVICES COMMENT SÉCURISER CES FLUX ?
  • 43. LES QUESTIONS À SE POSER • • • • • •
  • 44. COMMENT SE PROTÉGER ? Message integrity (signature) • Ensure message integrity. Support for XML Signature. Message confidentiality (encryption) • Ensure end-to-end data privacy. Support for both SSL and XML. Encryption are essential. Authentication (SAML) • Verifying the identity of the requestor. Access Control (SAML) • Ensuring that the requestor has appropriate access to the resource. Schema Validation (WSDL) • Ensuring intergrity of the structure and content of the message. Security Standards (WS-Security) • Supporting standards based security functions such as WS-Security. Malicious attack protection (Black List) • Supporting protection against the lastest Web Services and XML-Based attacks.
  • 45. WS-SECURITY WS-Trust WS-Federation LibertyAlliance Trust relationships XKMS SAML WS-Policy SOAP WS-Security WS-Reliability Access XACML SAML XML Encryption Implémentations les plus XML courantes XML Signature HTTP HTTP Auth Sécurité habituelle des applications Web TCP SSL / TLS IP IPSec
  • 46. WS-SECURITY <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <soap:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> ... </ds:Signature> </wsse:Security> </soap:Header> <soap:Body id="MsgBody"> ... </soap:Body> </soap:Envelope>
  • 47. WEB SERVICES UNE SOLUTION : LE PAREFEU APPLICATIF
  • 48. FIREWALL APPLICATIF VS FIREWALL XML PARE-FEU APPLICATIF Détection PARE-FEU XML d’attaques Détection propres aux d’attaques Détection applications communes : d’attaques propres aux SQL injection, services web XSS, etc. (WSDL, …)
  • 51. WEB APPLICATION FIREWALL Legitimate Traffic Malicious Application Activity Internet Application Floods Network Attacks & Floods Not allowed Services
  • 56. BEE-WARE V5 • • • •
  • 57. MANAGEMENT CENTRALISÉ • • • • ʼ • •
  • 58. TRAITEMENT DES FLUX PAR WORKFLOW • • • •
  • 59. FIREWALL APPLICATIF • • •
  • 60. FIREWALL APPLICATIF (SUITE) • • • •
  • 61. PRINCIPE DU REVERSE PROXY DANS i-Suite
  • 65. XML FIREWALL MODULE SPÉCIFICATIONS
  • 68. LE MARCHÉ – ACTEURS PRINCIPAUX ET CHALLENGERS
  • 69. DÉMO DE MANIPULATION D’UN FLUX XML
  • 70. DÉMO DE MANIPULATION D’UN FLUX XML
  • 72. SOAP MESSAGE SIGNATURE + HEADER INSERTION
  • 76. VALIDATION DU SHÉMA WSDL <?xml version="1.0" encoding="utf-8"?> <nomComplet>Prenom Nom</nomComplet> <?xml version="1.0" encoding="ISO-8859-1"?> <nomComplet>Prenom <b> Nom </b></nomComplet>
  • 82. REQUÊTES • • •
  • 83. DÉMO SÉCURITÉ DES WEBSERVICES
  • 84. CONCLUSION • • •

Notes de l'éditeur

  1. Avantages SOA :
  2. L’architecture des Web Services est basée sur l’intéraction de trois rôles:Service providerService registryService requestorCes rôles produisent les actions suivantes :Publish operationsFind operationBind operations.
  3. UDDI: Si l’@ du service change pas de souci si on s’appuie sur un annuaire (analogie avec le resto)