Web Services Hacking
There are many ways to attack Web Services. This tutorial outlines some of the basic ways that Web services hacking can damage an organization's data, applications and ability to function. Below is just a partial list of Web Services attacks that are possible against XML Web Services.
There are many ways to classify these attacks:
- XML-Based Attacks: Taking advantage of the way XML works. For instance, an XML document can be sent that causes a large entity expansion, tying up system resources.
- Bugs in Back End Systems: Many technologies are used in the XML message stream and can include XML parsers, application servers, operating systems, databases, etc. XML can encapsulate malware that can take advantage of bugs in these systems.
- Code Injection Attacks: Attack code can be sent via a SOAP message to be later executed in a receiving application. For instance, SQL injection or cross-site scripting attacks are relatively easy to create.
- Content-Based Attacks: Viruses, overly long strings, large messages, malformed messages are examples of attacks that can cause unexpected behavior at the receiving application.
- Denial of Service: A flood of messages, or a message with hundreds of encrypted elements may cause systems resources to be tied up and service levels to be affected.
- Man in the Middle Attack: Messages can be intercepted to cause routing problems or integrity problems. This can cause a receiving application to be disrupted
SQL Injection/XPATH/XQUERY Attacks
Code injection attacks are relatively straightforward and usually require some knowledge of what the back end system is behind the interface. Many Web Services provide query-able information and have a SQL database in the backend. A Web Service can be quite easily compromised by sending code fragments within the envelope of Web Services. When the code fragment is unwrapped and sent to the database, special characters may cause unintended SQL, XPATH and XQUERY statements to be executed. This can cause access to systems without authorization, or access to information that was not intended to be seen. More malicious forms of injection attacks can cause unwanted commands or code to be run such as to delete an entire database table.
Web Services Hacking I: A password table is compromised by simply resolving the authentication string to always be TRUE.
This situation enables simple authentication to the system. Other SQL Injection statements can cause unauthorized access to information or to simply delete the entire table.
Weak Password Attack
Enforcing strong password policies is common in many organizations and is often a regulatory requirement. Regardless of policy, it is also common that administrators pick weak passwords. This can cause access to systems using trial by error or brute force dictionary password attacks.
Web Services Hacking II: Weak password enforcement policies can result in weak passwords being chosen providing attackers an easier way to access systems.
WSDL Enumeration
Web Services is a self-describing set of standards which allows access to significant amounts of meta information to aid seamless communication. This also means that there is a lot of information available to attackers of Web Service systems. In this example, the WSDL file contains significant information as to where a particular service is, what types of functions are callable within the Web Service and how to interact with such a service. The WSDL is essentially an advertising mechanism that can reveal information such as a sensitive service or an important parameter. WSDL may also reveal what tools generated the Web Service providing attackers with more information on the environment.
Web Services Hacking III: The WSDL reveals several callable operations, most notably GetQuote and TradeStock.
In this situation, you may wish everybody to have access to GetQuote but only a certain subset of requestors who are authorized TradeStocks. Even with authentication and access control, the WSDL may reveal information about TradeStock than is desirable.
Routing Detours
Routing Detours are a form of a "Man in the Middle" attack which compromises routing information. Intermediaries can be "hijacked" to rout sensitive messages to an outside location. Routing information (whether in the HTTP headers or in WS-Routing headers) can be modified en route . Traces of the routing can be removed from the message so that the receiving application does not realize that a routing detour has occurred.
Web Services Hacking IV: An intermediary is compromised which modifies WS-Routing headers to send sensitive information to an outside server. The information is either routed back to the intermediary or to the Web Service with all traces removed.
Malicious Morphing
Malicious morphing is another form of "Man in the Middle" attack. Data, security information can be modified en route by an attacker resulting in data integrity issues and operational problems.
Cross-Site Scripting
SOAP and XML are standards used to wrap data for easy consumption. SOAP provides enveloping information to deliver messages in a seamless fashion between heterogeneous applications. XML includes metadata to describe the structure of the information. Malicious code can be embedded into the elements or CDATA of the information. CDATA is used to delineate information in the message that should not be parsed. Embedded characters or malicious code can be sent. The receiving application may display or execute the data in unintended ways. Cross-site scripting (sometimes called XML encapsulation) can be used to embed commands that can tie up system resources or gain unauthorized access.
Web Services Hacking VI: Illegal javascript code is injected into a message using CDATA. The field value, which eventually is displayed in a browser, actually runs javascript code on a browser causing an infinite loop
XML-based Attacks
Sometimes called "Coercive Parsing", XML-based attacks take advantage of the XML parsers that process the SOAP message. Web Services and existing infrastructure do not provide protection for XML-based attacks. Putting in recursive relationships to create entity expansions, bogus parameters and significant amounts of whitespace can cause XML parsers to be overloaded or to perform unexpected problems. A recent Oracle Application Server bug for instance allowed for DTD references in a SOAP message which the standard does not allow. This would enable circular DTD references to be made causing resources to be tied up.
Discovering and Eliminating Threats
In cases where malicious content is propagated on the services network, a Web services management solution – such as Actional provides – is ideal for discovering and eliminating such "rogue" services.
For More Information
Discover how a SOA management solution from Actional can be the answer to securing your Web services from hackers: download the free webinar, SOA Runtime Governance