The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward. Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.

1. Web Services Security
Nathan Sportsman
Founder and Chief Executive Officer
1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

2. Agenda
 Web Service Introduction
 Web Service Vulnerabilities
 Web Service Countermeasures
2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

3. Introduction
3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

4. How Did We Get Here?
SOAP / XML
HTML HTML
SOAP / XML
1st Generation 2nd Generation 3rd Generation
Static HTML Web Applications Web Services
4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

5. Web Services Are
 “…a software system designed to support interoperable
machine-to-machine interaction over a network.”, W3C
 Capable of connecting to external computing resources
– Supply chain infrastructure
– Outsourced computing infrastructure
5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

6. Web Services Primer
Service Broker
 Built on existing and emerging standards
– HTTP, XML, SOAP, UDDI, WSDL, WS-*… UDDI
 Capabilities
– Loosely coupled
– Language neutral
WSDL WSDL
– Platform and transport independent
– Interoperability
SOAP
Client Service Provider
6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

7. Web Service Interoperability Example
Embedded device Financial Transaction Gateway Billing Services
C++ on Linux/ARM C on AIX/PowerPC Java on NT/X86
Web Service
Web Service Web Service
7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

8. Web Service Vulnerabilities
8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

9. Attack Taxonomies
 Spoofing
 Tampering
 Repudiation
 Information Disclosure
 Denial of Service
 Escalation of Privileges
9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

10. Web Services Vulnerabilities
 Existing and emerging vulnerabilities apply
– Brute Force
– Information Disclosure
– SQL Injection
– LDAP Injection
– Session Hijacking
– Denial of Service (DoS)
– Buffer Overflows
– Cross Site Scripting
– XML Injection
– XPATH Injection
– WSDL Manipulation
– DOS (Intensive XML load)
– …
10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

11. SQL Injection
 Possible when user input provided through web service used
in queries to backend database
<?xml version=“1.0” encoding=“utf-8” standalone=“no” ?>
<SOAP-ENV:Envelope
xmlns:SOAPSDK1=“http://www.w3.org/2001/XMLSchema”xmlns:SOAP
SDK2=“http://www.w3.org/2001/XMLSchema-instance”
xmlns:SOAPSDK3=“http://schemas.xmlsoap.org/soap/encoding/”
xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/>
<SOAP-ENV:Body>
<SOAPSDK4:MethodName xmlns:SOAPSDK4=“http://urltoapp/…”>
<SOAPSDK4:username>administrator</SOAPSDK4:username>
<SOAPSDK4:password>’ OR ‘1’=‘1</SOAPSDK4:password>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

12. Buffer Overflow
 Buffer Overflows
– Not as prevalent except on older legacy systems and embedded
devices written in unmanaged code
– Large string parameters extending beyond allocated memory
– No bounds checking
<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<parameter1>
lkasdllkdlfa;jkia;refjeoinveroinanlekrngaerinrlgerinreglnag
linealinrglanirnaocnilrncoraeincelrgfnerginegnoeingerongoer
ingeg…
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

13. XML Injection
 External input is not validated and passed in XML stream
parsed by second-tier software
 Alters XML structure by injecting malicious data
 John Smith escalates privileges by changing his User ID from
100 to 0
<MyRec>
<UserId>100</UserId>
<Username>jsmith</Username><Uid>0</Uid><Username>jsmith</Username>
</MyRec>
13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

14. XPATH Injection
 Similar to SQL injection attack
 Information stored and retrieved from XML document instead
of relational database
//users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1]
14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

15. Denial of Service
 XML parsing can be expensive
• Extremely large / complex XML documents
• Deeply nested tags
• These can create extremely large memory footprints or utilize many CPU
cycles
…
<SOAP-ENV:Body>
<BuildNestedXMLResponse xmlns=http://someap”>
<BuildNestedXMLResult>
<XML 1>
<XML 2>
<XML 3>
<XML 4/>
</XML 3>
</XML 2>
</XML 1>
</BuildNestedXMLResult>
</BuildNestedXMLResponse>
…
15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

16. Web Services Countermeasures
16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

17. Defense Taxonomies
 Configuration Management
 Authentication
 Authorization
 User & Session Management
 Data Validation
 Error & Exception Handling
 Logging & Auditing
 Data Protection (Storage & Transit)
17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

18. Configuration Management
 Internet facing WSDLs can be found with Google hacking
(filetype:wsdl inurl:wsdl)
 Review WSDLs for dangerous or antiquated functions
 Ensure hidden, debugging, or any non-production functions
are removed before deployment
 Make sure they are not recreated automatically
18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

19. Authentication & Authorization
 Can be accomplished in various ways with various protocols
 Username/password, Certificates, etc
 Educate yourself on the characteristics of protocols available
before deciding
19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

20. Session Management
 Use proven methods to generate session IDs
 Do not reinvent the wheel and attempt to create your own
 Utilize transport encryption to prevent eavesdropping /
modification of session data
 Use transport and element encryption to prevent replay /
injection attacks
20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

21. Data Validation
 Validate and sanitize all input from external sources
 Sanitize all output of potentially malicious characters in
respect to the next tier (i.e. Database, XML stream, LDAP
directory, etc.)
 If possible, consider a default deny policy with a white list of
allowed input
21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

22. Logging & Auditing
 Consider using an existing logging framework
 Centralize location of log files
 Ensure logs provide enough information for non-repudiation
of action
 Do not log password, credit cards or other sensitive
information
22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

23. Error & Exception Handling
 Test for DoS conditions in QA/QC procedures
 Define and enforce data file types and sizes
 Check document complexity before handing to parser
– XML “Firewall”, etc.
 Use strict XML schema verification
 Create custom error messages with minimal information to
be returned by web services
23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

24. Data Protection (In Storage & Transit)
 Two mechanisms for encryption, SSL and WS-Security
 Disadvantages of WS-Security
– Harder, more complex to implement (Easier to do wrong)
– Larger attack surface (Attacker has a lot more to play with) vs. SSL
with client certificates
– Only explicitly encrypted / signed data are protected
 Advantages of WS-Security
– WS-Security offers end-to-end Security (Instead of point-to-point)
– Transport agnostic
– No longer an all or nothing approach
– Less over head, especially in stateless web services (debatable)
24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

25. SSL
 Well understood and vetted technology
 Provides the functionality needed for most web service
deployments
 Who is implementing SSL?
– ISVs adding web service interface to their product (SSL)
– Internet Companies exposing part of their service through web
interface for consumption (SSL)
– Internally distributed application previously using older technologies
for inter-application communication (SSL)
* By far majority of engagements, products, and web services we’ve seen implement SSL solution
25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

26. WS-Security
 Enhances SOAP
– Provides a framework for message integrity and confidentiality
– Token type-, Encryption scheme-, and Signature scheme-agnostic
 Associates security tokens with messages
 Message integrity provided by XML Digital Signatures in conjunction with
security tokens
 Message confidentiality provided by XML Encryption in conjunction with
security tokens
 Describes mechanism to encode binary security tokens
– X.509 certificates, Kerberos, opaque encrypted keys
 Who is implementing?
– B2B application for company to company exchange
26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

27. How WS-Security fits in the Web Service Stack
Management Portals
Extended
Composition/Orchestration
Capabilities
Secure Reliable
Reliable WS-Security Transactions
Messaging
Transaction
Endpoint identification, Publish/Subscribe
XML Schema, WSDL, UDDI, Attachments
Foundation
Transport
XML, SOAP
Invocation
Description
HTTP, HTTPS
27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

28. Misconceptions
 Web services do not share some of the same vulnerabilities of
web applications
 WS-Security is all you need to solve security concerns within
web services
 XML firewalls and other technologies will protect against all
WS attacks
28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

29. Integrate Secure Development Lifecycle
 Security Requirements
– Set requirements to meet security objectives
 Threat Modeling
– Identify issues at the time of design
– Assist in other phases of the development life cycle
 Code Review
– Identify issues at the time of implementation
– Static vs Dynamic Analysis
– Manual and Automated Tools
 Penetration Testing
– Blackbox vs White vs Grey Box Testing
– Manual and Automated Tools
29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

30. Web Services Security
Nathan Sportsman
Founder and Chief Executive Officer
30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured