1 / 27

XML & Web Services Threats & Countermeasures Mamoon Yunus, CTO

XML & Web Services Threats & Countermeasures Mamoon Yunus, CTO. Agenda. XML Web Services Threat and Trust Popular Trust Use-cases Popular Threat Scenarios Forum Systems Integration with TAM Forum Systems – TAM – IBM MQ Series Q&A.

kateb
Download Presentation

XML & Web Services Threats & Countermeasures Mamoon Yunus, CTO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XML & Web Services Threats & CountermeasuresMamoon Yunus, CTO

  2. Agenda • XML Web Services Threat and Trust • Popular Trust Use-cases • Popular Threat Scenarios • Forum Systems Integration with TAM • Forum Systems – TAM – IBM MQ Series • Q&A

  3. Popular Web Services Security Policies: Trust and Threat Policies Trust Management Threat Management • Message Integrity – Sign & Verify • Message Privacy – Encrypt & Decrypt • Identity Management • Filter all SOAP/XML Messages for Threats/Information Leak • Attack Prevention – Denial of Service • Web Services Authentication and Access Control • Interoperability – WSI-BP

  4. Web Services Security GatewayManagement & Acceleration of XML Web Services • Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages • Support HTTP(s) to JMS gateway functionality - protocol mixing • Accelerated SSL connections • Content based routing • Message authentication via Sign-On (SSO) tokens: CA/Netegrity, IBM Tivoli, Oblix COREid, RSA ClearTrust • Certification of Appliance Web Services Security Management Internet XML SOAP Protected Web Services and Content

  5. Web Services Security GatewayManagement & Acceleration of XML Web Services • Message-Queue Integration • Tibco Rendezvous • Tibco EMS (Tibco's JMS Product) • IBM MQ (via JMS) • JMS compliant implementation e.g. Sonic • Government Certifications • JITC DoD PKI Certification • FIPS 140-2 LEVEL III Hardware Security Module • FIPS Certification of Appliance • EAL4+ Common Criteria Certification of Appliance Web Services Security Management Internet XML SOAP Protected Web Services and Content

  6. Popular Trust Policies – Signatures • Sign All out-bound documents • Optionally Sign inbound document before archiving • E-Notary Service • Shared Signature Service • SOAP with Attachments Signatures (DIME & MIME)

  7. Popular Trust Policies – Identity • Protocol-based Identity • Message-based Identity • Identity Transformation • HTTP(S) – SAML • Kerberos – SAML • Identity Management • LDAP • IBM Tivoli, CA/Netegrity SiteMinder

  8. Web Services Firewall Admission Control & Threat Protection • XML Web services Authentication and Access Control • XML Schema Validation and XML Intrusion Prevention • Standards Support – WS-I, WS-Security • Attack Prevention – Denial of Service, Virus, Probe & Extract, XML/XSD Schema & WSDL Breaches • WSDL Aggregation and Obfuscation Web Services Security Management Internet XML SOAP Protected Web Services and Content

  9. Introduction to Web Services Threats • Legacy Attacks have been focused on Disruption • DoS, DDoS, or Buffer Overflow type exploits • Primitive Techniques: Brute force port scanning • Web Services offer new “vector of attack” for information disruption & theft • Modern Techniques: Wealth of information in WSDL files • Operation names • Ports • Data types • Information theft undetected is more $lucrative$ than detected service disruption • SQL Injection over Web Services Channel • Viruses, Spy-ware & Malicious Code over Web Services Channel • Legacy Firewalls are blind to XML – Specialized WS Firewalls are required • Port 443 & 80 let HTTP traffic right through

  10. Top 10 Vulnerabilities • SwA – with Malicious Attachments • SQL Injection • Large Buffer Attack • Parameter Tampering • Coercive Parsing • Recursive Payloads • WSDL Scanning • Schema Poisoning • External Entity Attacks • SOAP Routing Detours

  11. Test Setup Database localhost:9090 Client Web Service Application • POInfo.mdb • Mime-echo.asmx • StringService.asmx • MathService.asmx • PurchaseOrderInfo.asmx

  12. 1. Sample Threat: Virus Attack via SwA HTTP Header SOAP Message Malicious Attachment

  13. 1. Sample Threat: Virus Attack – Countermeasure Policies • Need to Decrypt before scan • SSL termination required AND SwA Decryption required • Block Offending client IP addresses and users • Setup alerts for notifying administrator • Automatically THROTTLE or BLOCK SOAP traffic from IP addresses and/or users

  14. 2. SQL Injection: PurchaseOrderInfo – GetPurchaseOrders Operation • SOAP Request: uid=“bob” and password=“bob” • SOAP Response <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <GetPurchaseOrdersResponse xmlns="http://tempuri.org/"> <GetPurchaseOrdersResult> <PurchaseOrderInformation> <po>1000</po> <name>XYZ Corp</name> <address>123 AnyStreet</address> <city>Anytown</city> <state>MA</state> <zipcode>10267</zipcode> <country>US</country> <amount>$243,253.98</amount> <salesRepID>bob</salesRepID> </PurchaseOrderInformation> </GetPurchaseOrdersResult> </GetPurchaseOrdersResponse> </soap:Body> </soap:Envelope>

  15. 2. SQL Injection: Force & Analyze Faults • SOAP Request: uid=‘ and password= • SOAP Response  SOAP Fault <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---&gt; System.Data.OleDb.OleDbException: Syntax error in string in query expression 'SalesRepID = ''' AND password = '''. at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(Int32 hr) at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object&amp; executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object&amp; executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object&amp; executeResult) at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader() at PurchaseOrderInfo.PurchaseOrderDBAccess.VerifyAuthentication(String uid, String password) at PurchaseOrderInfo.PurchaseOrderDBAccess.GetPurchaseOrders(String uid, String password) at PurchaseOrderInfo.PurchaseOrderInfo.GetPurchaseOrders(String uid, String password) --- End of inner exception stack trace ---</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> • Information: • .NET is being used • 2 Classes: PurchaseOrderInfo and PurchaseOrderDBAccess • VerifyAuthentication Method • SQL Hints: ‘SalesRepID=‘’’ AND password=‘’’

  16. 2. SQL Injection Attack • SELECT * FROM <sometable> WHERE SalesRepID=‘’or ‘’=‘ AND password=‘’ or ‘’=‘’ • ‘’=‘’ is always true • SOAP Request: • uid: ‘ or ‘’=‘ • password: ‘ or ‘’=‘ SOAP Request SOAP Response SQL Injected

  17. 2. SQL Injection Attack: Countermeasures • Suppress Stack Trace within SOAP Faults • Filter Response Processing Through WS Firewall • Stealth Mode – Consider Suppressing SOAP Faults @ runtime • Character Control • Limit parameters to alpha-numeric • Allow only RegEx [a-zA-Z0-9]* • Block characters & keywords • Disallow Characters RegEx: [\<\>\"\'\%\;\)\(\&\+] • Disallow Keywords RegEx: select, insert, drop, exec(\s|\+)+(s|x)p\w+ • Restrict Data and Information Leaks through tight response processing • Restrict SOAP Response Message Size • Restrict SOAP Response Message Elements • Block Offending client IP addresses and users • Setup alerts for notifying administrators • Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses and/or users

  18. 3. Large Buffer DoS:StringService – Echo & Reverse Operation Echo Reverse • Echo Request: s= Random BUFFER (10KB – 100KB) • All responses are successful • Response time approx linear ranges from 3.2 ms – 48 ms • Chewing memory and CPU cycles • Reverse Request: s= Random BUFFER (10KB—100KB) • Only first 4 request successful. All others TIMEOUT • Response time pegged to ~10,000 ms • Chewing CPU cycles heavily as well as memory Significant DoS exposure

  19. 3. Large Buffer DoS – Countermeasures • Define & Enforce Data type limits • Schema tightening through WS Firewall • Restrict Overall Data size • Message Size tightening through WS Firewall • Block Offending client IP addresses and users • Setup alerts for notifying administrators • Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses and/or users

  20. 4. Parameter Tampering: MathService – Divide Operation • Divide Request: a= 1—to—10,000,000,000; b=7 • All but last responses are SUCCESSFUL • Ave 1.87 ms • Overflow happened for value > 2,147,483,647 • Response time for Overflow data point: 46.50ms • Divide Request: a= RANDOM BUFFER 10K-100K; b=7 • All responses FAIL • Min 6.9 ms • Max 46.90 ms • Ave 23.42 ms ~ 2400% increase in response time for Overflow Value DoS through Data Type Tampering

  21. 4. Parameter Tampering – Countermeasures • Control SOAP Responses – Information Leak • Filter Response Processing Through WS Firewall • Stealth Mode – Consider Suppressing SOAP Faults @ runtime • Prevent Invalid Data from reaching target servers • Schema tightening through WS Firewalls • Block Offending client IP addresses and users • Setup alerts for notifying administrators • Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses and/or users

  22. Best Practices for Countermeasures Information Control – Inbound • Tighten Payloads • Tighten String Lengths • Disallow SQL, Virus, Malicious Code Information Control – Outbound • Restrict SOAP Faults – Stack Traces are dangerous • Sensitive Information – Credit Cards, SSN Deploy A Web Services Firewall • Forum Systems XWall • NetContinuum • MSFT ISA 2004 with XWall • Network Engines • Oracle/Oblix

  23. Requirements for Countermeasures • Securing Web Services requires secure Web Service Firewalls • FIPS 140-2 Level II • Common Criteria EAL 4+ • Flexible • Hardware and Software for wide coverage • OEM-ed/Integrated into other products • NetContinuum • MSFT ISA 2004 Firewall • Oblix/Oracle • Network Engines • Performance & Scalability • 64-bit platform • Multi-thousand TPS for security operations • Security Pure-play – XWALL

  24. FS-Sentry/XWall – IBM TAM Integration LDAP • Integrated & Certified with TAM 5.1 • Integrated Via WebSEAL Junction • Protects URIs • Native Load-balancing • HTTP & HTTPS support for WebSEAL • HTTP – PD-H-SESSION-ID • HTTPS – PD-S-SESSION-ID • Sentry/XWALL can consume previously acquired WebSEAL Sessions TAM Protected HTTP Resource Protected HTTPS Resource WebSEAL Unprotected HTTP(S) Client FS IBM MQSeries

  25. FS-Sentry/XWall – WebSEAL

  26. FS-Sentry/XWall – IBM TAM Integration

  27. Mamoon Yunus, CTOTel: (781)-788-4205Email: myunus@forumsys.com • IBM TAM • IBM MQ Series • IBM DB2 • AIX P5 eBlade

More Related