Source Boston 2010

Member of security community – Null I am working at Mindtree Limited Champion of Security Square Like Hacking Executed 6 security projects Tested web services for ASMX, Java web

service and WCF. Currently working on:

Web services Security Testing

Web Services Stack WCF Story WCF Overview ASP.NET v/s WCF What is New in WCF? ABC of WCF endpoints WCF Attack- Reconnaissance Obtaining Meta Data from WCF service Manual Testing Utilities

Born in 2006, initially code named as Indigo

Replacement for traditional ASP .NET web services

WCF is a framework that Microsoft is encouraging developers for any kind of network communication.

It was introduced in .NET 3.0 Bunch of different protocols and message

formatting options. Accordance to SOA principles to support

distributed computing

ASP .NET web service WCF web serviceSolely made for building Web service

Provides tools for use in any circumstances for s/w entities to communicate

Support sending message via HTTP

Support formats like HTTP, TCP, named pipes, Microsoft Message Queuing

More rich facilities for deploying and managing applications

Configuration system Addition to Config system, Config editor, Activity tracing, trace viewer, message logging, a vast no. of performance counters, support for Windows Management Instrumentation

WCF has an extension of .svc in comparison to the historically .asmx extension

WCF Services are exposed through Endpoints

Before attacking WCF, some pre-requisites that should be known are the ABC’s of WCF Web services: Address Binding Contract

Every WCF Service has a Unique Address Transport Protocol Location Often use .svc file extension when hosted in IIS

[transport]://[machine or domain][:optional port]/[optional uri]

“What protocol can I use to talk to this service?”Binding specify how a service communicate

Transport Protocol Encoding (Message Format)

Customized or several out of box bindings

“What can I do with this service?”

WCF Contracts specify what is communicated outside the world

4 types of Contracts Service: Operations that client can perform Data: Define the data types passed by the service Fault: Error handling and propagation Message: Allows direct interaction with messages.

Traditional use of WSDL (can be easily exposed through ?wsdl or /wsdl)

Preferred mechanism for Metadata exchange (MEX)

Bad news- Secure approach is implemented in new WCF technologies

Good News- Most of the applications are built in VSTS *

Both WSDL and MEX are enabled by default when generating WCF configuration in Visual Studio

Note: MetaData not always published over SSL Default Visual Studio Template includes

But Not

Leveraging MetaData for Manual Testing. WcfTestClient

▪ Ships with Visual Studio 2008+▪ Automatically Parses WSDL or MEX▪ http://weblogs.asp.net/blogs/guillermo/Code/WcfTestClient.z

ip

WCF Storm▪ Supports most WCF bindings, including MC-NBFS over Http ▪ Free Lite version available▪ http://www.wcfstorm.com/wcf/download-wcfstorm-lite.aspx

Pros Has support for ASMX, WCF and Java web services Easy GUI Inbuilt Soap generator

Cons Commercial tool Trial edition does not provide automation of

injection list.

WSFUZZER is a tool developed by Andres Andrew.

Built in Python. Needs Jdk 1.6 and Python 2.6 as a pre-

requisite Helps in automating payload injections

against a WSDL url Useful for automating for XSS, SQL injection,

Insecure IDs and Malicious command injection.

Secure bindings support Message Security basedon WS-Security standards

NetTCPBinding▪ Binary XML Message Format

wsHttpBinding▪ SOAP/XML over HTTP/S

many more… Multiple credentials options

Windows, Certificate, Username, Anonymous, IssuedToken

http://www.owasp.org/images/d/d0/Web_Services_Hacking_and_Hardening.pdf

Nabarun Sengupta

Senior Test Engineer,Mindtree Limited

Email Id: nabarun_sengupta@mindtree.com

Mobile: 9689881811