Progress / Actional/Resources/White Papers/Web Services Risks
Web Services HackingThere are many ways to attack Web Services. This tutorial outlines some of the basic ways that Web services hacking can damage an organization's data, applications and ability to function. Below is just a partial list of Web Services attacks that are possible against XML Web Services. There are many ways to classify these attacks:
SQL Injection/XPATH/XQUERY AttacksCode injection attacks are relatively straightforward and usually require some knowledge of what the back end system is behind the interface. Many Web Services provide query-able information and have a SQL database in the backend. A Web Service can be quite easily compromised by sending code fragments within the envelope of Web Services. When the code fragment is unwrapped and sent to the database, special characters may cause unintended SQL, XPATH and XQUERY statements to be executed. This can cause access to systems without authorization, or access to information that was not intended to be seen. More malicious forms of injection attacks can cause unwanted commands or code to be run such as to delete an entire database table.
Web Services Hacking I: A password table is compromised by simply resolving the authentication string to always be TRUE. This situation enables simple authentication to the system. Other SQL Injection statements can cause unauthorized access to information or to simply delete the entire table. Weak Password AttackEnforcing strong password policies is common in many organizations and is often a regulatory requirement. Regardless of policy, it is also common that administrators pick weak passwords. This can cause access to systems using trial by error or brute force dictionary password attacks.
Web Services Hacking II: Weak password enforcement policies can result in weak passwords being chosen providing attackers an easier way to access systems. WSDL EnumerationWeb Services is a self-describing set of standards which allows access to significant amounts of meta information to aid seamless communication. This also means that there is a lot of information available to attackers of Web Service systems. In this example, the WSDL file contains significant information as to where a particular service is, what types of functions are callable within the Web Service and how to interact with such a service. The WSDL is essentially an advertising mechanism that can reveal information such as a sensitive service or an important parameter. WSDL may also reveal what tools generated the Web Service providing attackers with more information on the environment.
Web Services Hacking III: The WSDL reveals several callable operations, most notably GetQuote and TradeStock. In this situation, you may wish everybody to have access to GetQuote but only a certain subset of requestors who are authorized TradeStocks. Even with authentication and access control, the WSDL may reveal information about TradeStock than is desirable. Routing DetoursRouting Detours are a form of a "Man in the Middle" attack which compromises routing information. Intermediaries can be "hijacked" to rout sensitive messages to an outside location. Routing information (whether in the HTTP headers or in WS-Routing headers) can be modified en route . Traces of the routing can be removed from the message so that the receiving application does not realize that a routing detour has occurred.
Web Services Hacking IV: An intermediary is compromised which modifies WS-Routing headers to send sensitive information to an outside server. The information is either routed back to the intermediary or to the Web Service with all traces removed. Malicious MorphingMalicious morphing is another form of "Man in the Middle" attack. Data, security information can be modified en route by an attacker resulting in data integrity issues and operational problems.
Cross-Site ScriptingSOAP and XML are standards used to wrap data for easy consumption. SOAP provides enveloping information to deliver messages in a seamless fashion between heterogeneous applications. XML includes metadata to describe the structure of the information. Malicious code can be embedded into the elements or CDATA of the information. CDATA is used to delineate information in the message that should not be parsed. Embedded characters or malicious code can be sent. The receiving application may display or execute the data in unintended ways. Cross-site scripting (sometimes called XML encapsulation) can be used to embed commands that can tie up system resources or gain unauthorized access.
Web Services Hacking VI: Illegal javascript code is injected into a message using CDATA. The field value, which eventually is displayed in a browser, actually runs javascript code on a browser causing an infinite loop XML-based AttacksSometimes called "Coercive Parsing", XML-based attacks take advantage of the XML parsers that process the SOAP message. Web Services and existing infrastructure do not provide protection for XML-based attacks. Putting in recursive relationships to create entity expansions, bogus parameters and significant amounts of whitespace can cause XML parsers to be overloaded or to perform unexpected problems. A recent Oracle Application Server bug for instance allowed for DTD references in a SOAP message which the standard does not allow. This would enable circular DTD references to be made causing resources to be tied up.
Discovering and Eliminating ThreatsIn cases where malicious content is propagated on the services network, a Web services management solution – such as Actional provides – is ideal for discovering and eliminating such "rogue" services. For More InformationDiscover how a SOA management solution from Actional can be the answer to securing your Web services from hackers: download the free webinar, SOA Runtime Governance |
Secure Your Network from Web Services HackingDownload the free white paper, "Web Services Risks — Understanding The Web Services Security Threat," now. |
