web service security
DESCRIPTION
Web Service Security by Nabarun Sengupta @ null Pune Meet, March, 2011TRANSCRIPT
![Page 1: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/1.jpg)
Source Boston 2010
![Page 2: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/2.jpg)
Member of security community – Null I am working at Mindtree Limited Champion of Security Square Like Hacking Executed 6 security projects Tested web services for ASMX, Java web
service and WCF. Currently working on:
Web services Security Testing
![Page 3: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/3.jpg)
Web Services Stack WCF Story WCF Overview ASP.NET v/s WCF What is New in WCF? ABC of WCF endpoints WCF Attack- Reconnaissance Obtaining Meta Data from WCF service Manual Testing Utilities
![Page 4: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/4.jpg)
![Page 5: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/5.jpg)
Born in 2006, initially code named as Indigo
![Page 6: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/6.jpg)
Replacement for traditional ASP .NET web services
WCF is a framework that Microsoft is encouraging developers for any kind of network communication.
It was introduced in .NET 3.0 Bunch of different protocols and message
formatting options. Accordance to SOA principles to support
distributed computing
![Page 7: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/7.jpg)
ASP .NET web service WCF web serviceSolely made for building Web service
Provides tools for use in any circumstances for s/w entities to communicate
Support sending message via HTTP
Support formats like HTTP, TCP, named pipes, Microsoft Message Queuing
More rich facilities for deploying and managing applications
Configuration system Addition to Config system, Config editor, Activity tracing, trace viewer, message logging, a vast no. of performance counters, support for Windows Management Instrumentation
![Page 8: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/8.jpg)
![Page 9: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/9.jpg)
![Page 10: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/10.jpg)
WCF has an extension of .svc in comparison to the historically .asmx extension
WCF Services are exposed through Endpoints
Before attacking WCF, some pre-requisites that should be known are the ABC’s of WCF Web services: Address Binding Contract
![Page 11: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/11.jpg)
Every WCF Service has a Unique Address Transport Protocol Location Often use .svc file extension when hosted in IIS
[transport]://[machine or domain][:optional port]/[optional uri]
![Page 12: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/12.jpg)
“What protocol can I use to talk to this service?”Binding specify how a service communicate
Transport Protocol Encoding (Message Format)
Customized or several out of box bindings
![Page 13: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/13.jpg)
“What can I do with this service?”
WCF Contracts specify what is communicated outside the world
4 types of Contracts Service: Operations that client can perform Data: Define the data types passed by the service Fault: Error handling and propagation Message: Allows direct interaction with messages.
![Page 14: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/14.jpg)
Traditional use of WSDL (can be easily exposed through ?wsdl or /wsdl)
Preferred mechanism for Metadata exchange (MEX)
Bad news- Secure approach is implemented in new WCF technologies
Good News- Most of the applications are built in VSTS *
![Page 15: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/15.jpg)
Both WSDL and MEX are enabled by default when generating WCF configuration in Visual Studio
![Page 16: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/16.jpg)
![Page 17: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/17.jpg)
Note: MetaData not always published over SSL Default Visual Studio Template includes
But Not
![Page 18: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/18.jpg)
![Page 19: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/19.jpg)
Leveraging MetaData for Manual Testing. WcfTestClient
▪ Ships with Visual Studio 2008+▪ Automatically Parses WSDL or MEX▪ http://weblogs.asp.net/blogs/guillermo/Code/WcfTestClient.z
ip
WCF Storm▪ Supports most WCF bindings, including MC-NBFS over Http ▪ Free Lite version available▪ http://www.wcfstorm.com/wcf/download-wcfstorm-lite.aspx
![Page 20: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/20.jpg)
Pros Has support for ASMX, WCF and Java web services Easy GUI Inbuilt Soap generator
Cons Commercial tool Trial edition does not provide automation of
injection list.
![Page 21: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/21.jpg)
WSFUZZER is a tool developed by Andres Andrew.
Built in Python. Needs Jdk 1.6 and Python 2.6 as a pre-
requisite Helps in automating payload injections
against a WSDL url Useful for automating for XSS, SQL injection,
Insecure IDs and Malicious command injection.
![Page 22: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/22.jpg)
Secure bindings support Message Security basedon WS-Security standards
NetTCPBinding▪ Binary XML Message Format
wsHttpBinding▪ SOAP/XML over HTTP/S
many more… Multiple credentials options
Windows, Certificate, Username, Anonymous, IssuedToken
![Page 23: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/23.jpg)
http://www.owasp.org/images/d/d0/Web_Services_Hacking_and_Hardening.pdf
![Page 24: Web Service Security](https://reader033.vdocuments.mx/reader033/viewer/2022060200/55996a011a28ab0e6a8b473d/html5/thumbnails/24.jpg)
Nabarun Sengupta
Senior Test Engineer,Mindtree Limited
Email Id: [email protected]
Mobile: 9689881811