Wednesday, June 29, 2005

JavaOne: Web Services Security Attacks in Action

Notes from JavaOne 2005...

Rich Salz, DataPower

  • Syntactic attack - a generic XML attack
  • Semantic attack - leveraging the sturcture and processing rules of SOAP, WS-* or the payload
XML attacks tend to be asymmetric (small request leads to lots of server-side processing).

Simple syntactic attacks: Simple overflows - huge XML (size, depth, width), huge element name, huge attribute name, big number of namespaces, huge number of attributes, huge text. Sending random input, not XML

DTD syntax attacks: XXE: XML external entity. Entity expansion can get big. Really big DTDs.

Simple semantic attacks: Really big schema, really big stylesheet, XSLT in general (xml-stylesheet PI, document() calls). Remember, XSLT is a programming language, so treat it as code, not data.

Semantic attack: discovery. Goal - expose only what's neccessary. SOAP says intermediary identifies itself, creating faults is like ICMP probing, coupled with HTTP headers can expose more about your infrastructure than you'd like. Service discovery might be an information leak.

Semantic attack: distributed ID monte, aka "brown bag attack". Policy says message body must be signed. Signature reference uses URI=#body to point to the body. Attacker moves body into a SOAP header, adds new SOAP body. Makes it possible to misinterpret what actually got signed.

Semantic attack: Crypto isn't cheap. Most WS-Security stacks will verify everything. Attacker inserts bogus signatures on valid data or valid signatures on bogus data.

Semantic attack: WS-addressing. Loosely coupled means there are gaps for an attacker to slip in. Weak spot - WSA endpoint references (arbitrary XML that client promotes into SOAP header). Three parties are now involved - server could provide callback data, WSA services could provide metadata, client might add data, now have to trust DNS even more. Raises susceptibility to data interception, replacement, override.

Defenses: Defense in depth - different languages, architectures, libraries; Require strongest feasible protection; Identify those sending you data ASAP; Consider XML-aware network devices.

Summary: Web services means folks send you data. XML can be complicated and resource-intensive. Multiple layers means multiple attack points. Multiple lines of defense. It's only a matter of time before attacks against web services start to emerge.

No comments: