Professional Documents
Culture Documents
Jeff Williams
Aspect Security CEO
jeff.williams@aspectsecurity.com
August 9, 2006
Service
(server-side)
Application
(client-side)
2
Copyright © 2006 - Aspect Security
) How Attackers See Services
Sniffing
Interception
Tampering Service
(server-side)
Application
(client-side)
Chained Attacks on
Other Services or
Other Clients
Attacks on
Local Hosts
and Networks
3
Copyright © 2006 - Aspect Security
) Imagine the Future
4
Copyright © 2006 - Aspect Security
) Accessing Services Securely
Service
Input/Output Validation (server-side)
Application
(client-side) Error Handling
Access Control Logging
Encryption
Error Handling ons Availability
ti
Logging i ca
un Concurrency
Encryption m
Com
Availability e
c ur
Concurrency Se
Credentials
Authentication
Credentials
Note: the application is a “client” of the service, but might be a server application itself
5
Copyright © 2006 - Aspect Security
) What Does “Secure” Mean for a Service?
7
Copyright © 2006 - Aspect Security
) Using Eclipse for Code Review
•Syntax highlighting
•Powerful Search Tools •Code browsing
8
Copyright © 2006 - Aspect Security
) Using WebScarab for Penetration Testing
Choose WebServices feature
9
Copyright © 2006 - Aspect Security
) Finding Services
Client Examples
) Sockets – search for use of java.net.*
) HTTP – search for use of URI, URL
) Operating System – search for Runtime.exec()
) Web Services – search for AXIS
Server Examples
) Database – search for use of JDBC
) Servlet – search for use of ServletRequest
) Custom services – search for use of libraries
10
Copyright © 2006 - Aspect Security
) Architecture for Accessing Services
Access Control
Simple Limited API
Service Access
Component Authentication
Error Handling
Logging
Encryption
Availability Service
Concurrency
Credentials
11
Copyright © 2006 - Aspect Security
) Secure Service - Client Pattern
// pseudo-code template for invoking a service with security
...
if ( !isAuthorized ) throw AuthorizationException
if ( !isValidInput ) throw ValidationException
try {
credentials = encryptedProperties.getCredentials()
service = open( credentials ) // SSL? Least privilege?
encode( parameters )
results = service.invoke( parameters )
validate( results )
log success
} catch Exception e {
log error
throw proper exception Secure Communications
} finally { Authentication and Sessions
close connection Access Control
} Validate & Encode Request
encode( results ) Validate & Encode Response
do something with results Error Handling
... Logging & Intrusion Detection
Encryption
Availability
Concurrency
12
Copyright © 2006 - Aspect Security
) Client Example: LDAP Using JNDI
// Authenticate
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=user, ou=group, o=jndi");
env.put(Context.SECURITY_CREDENTIALS, "password");
13
Copyright © 2006 - Aspect Security
) Client Example: TCP/IP Socket
try {
Socket t = new Socket(args[0], 7);
DataInputStream dis =
new DataInputStream(t.getInputStream());
PrintStream ps = new PrintStream(t.getOutputStream());
ps.println("Hello");
String str = dis.readLine();
if (str.equals("Hello"))
System.out.println("Alive!");
else
System.out.println("Dead or echo port not responding");
t.close();
}
catch (IOException e) {
e.printStackTrace();
}
14
Copyright © 2006 - Aspect Security
) Client Example: Web Service
15
Copyright © 2006 - Aspect Security
) Client Example: E-mail
public void sendEmail( HttpServletRequest request )
{
String to = request.getParameter( "to" );
String from = request.getParameter( "from" );
String text = request.getParameter( "msg" );
Properties props = new Properties();
props.setProperty("mail.transport.protocol", "smtp");
props.setProperty("mail.host", "mymail.server.org");
props.setProperty("mail.user", "emailuser");
props.setProperty("mail.password", "password");
Session mailSession = Session.getDefaultInstance(props, null);
Transport transport = mailSession.getTransport();
MimeMessage message = new MimeMessage(mailSession);
message.setContent( text, "text/plain");
message.addRecipient(Message.RecipientType.TO,
new InternetAddress( to ));
msg.setFrom(new InternetAddress( from ));
msg.setSubject( "Check out this cool site" );
transport.connect();
transport.sendMessage(message,
message.getRecipients(Message.RecipientType.TO));
transport.close();
}
16
Copyright © 2006 - Aspect Security
) Client Example: Google
17
Copyright © 2006 - Aspect Security
) Secure Service - Server Pattern
// pseudo-code template for implementing a service with security
...
hash = hash( password )
if ( !isAuthenticated( username, hash ) ) throw
AuthenticationException
if ( !isAuthorized ) throw AuthorizationException
if ( !isValidInput ) throw ValidationException
try {
encode( parameters )
results = do something with parameters
validate( results )
log success
} catch Exception e {
log error Secure Communications
throw proper exception Authentication and Sessions
} finally { Access Control
close connection Validate & Encode Request
} Validate & Encode Response
encode( results ) Error Handling
do something with results Logging & Intrusion Detection
... Encryption
Availability
Concurrency
18
Copyright © 2006 - Aspect Security
) Server Example - Web Service
package server;
import javax.jws.WebService;
@WebService
public class HelloImpl {
public String sayHello(String name) {
return "Hello, " + name + "!";
}
}
19
Copyright © 2006 - Aspect Security
) Web Service Attack Names
20
Copyright © 2006 - Aspect Security
) Example XML Attacks
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY a "<element>&b;</element>">
<!ENTITY b "&a;"> ]>
<element>&a;</element>
21
Copyright © 2006 - Aspect Security
) Web Services - Validation Paradox
Solution
) Ideal: Integrate security validation into parsers
) Current: Do your own validation (size, recursion, attacks)
before feeding documents into the parser
22
Copyright © 2006 - Aspect Security
) Web Services - SOAP Faults
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>…full stack trace…</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
23
Copyright © 2006 - Aspect Security
) WebGoat – WSDL Scanning
24
Copyright © 2006 - Aspect Security
) WebGoat – Web Service SQL Injection
25
Copyright © 2006 - Aspect Security
) Security in a Service Oriented World
26
Copyright © 2006 - Aspect Security
) Q&A
QUESTIONS
ANSWERS
27
Copyright © 2006 - Aspect Security