Testing tools and AI - ideas what to try with some tool examples
AppSec 2007 - .NET Web Services Hacking
1. .NET Web Services Hacking – Scan, Attacks and Defense Shreeraj Shah Founder & Director, Blueinfy [email_address] 91+987-902-7018
2.
3.
4.
5. Web Services and Web 2.0 HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Local Application Database Authentication Internet Weather News Documents Emails Bank/Trade RSS feeds Web Services
6. Widget DOM HTML/CSS JavaScript SOAP XML-RPC JSON XML Open APIs SaaS Services REST Browser Protocols Consuming Web Services Ajax Flash / RIA JSON-RPC Structures Server-Side HTTP(S)
7. Methodology Footprinting & Discovery Enumeration & Profiling Vulnerability Detection Code / Config Scanning Web Services Firewall Secure Coding Insecure Web Services Secure Web Services Blackbox Whitebox Defense & Countermeasure
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29. IIS Web Server HTTP Stack .Net Web Services IIS Web Server web2wall Web Services Client SOAP Envelope Reject Rules for SOAP Code filtering with IHTTPModule
30. .Net Web Services .asmx file IIS web server web2wall Web Services Client SOAP Input Envelope <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"> <id xsi:type="xsd:string">12123</id> </q1:getInput> </soap:Body> DB <id xsi:type="xsd:string">12123</id> id=12123 Bal=$2500 <ns1:getInputReturn xsi:type="xsd:string"> $2500 </ns1:getInputReturn> SOAP Output Envelope Code filtering with IHTTPModule
31. HTTP Stack for IIS Request IIS aspnet_isapi.dll HttpApplication HttpHandler HttpModule HttpModule HttpModule Response Web Application Resource Web Application Client 146