Attacking Web Services Security

•BradHillbrad@isecpartners.comToorConSeattle‘07May12,2007AttackingWebServicesSecurityMessageOrientedMadness,XMLWormsandwhySSLstilldoesn’tsuck.AttackingWebServicesSecurityToorConSeattle‘07Welcome.Greatpartylastnight!Thanksforwakingupintimetoseemytalk.AttackingWebServicesSecurityToorConSeattle‘07WhoamI?SeniorSecurityConsultantwithiSECPartnersPreviouslyadeveloperandsecurityexpertinthefinancialservicesandhigh-techsectors.BasedhereinSeattleAttackingWebServicesSecurityToorConSeattle‘07Somebackground…AttackingWebServicesSecurityToorConSeattle‘07TwoyearsagoatBlackHat...ScottStender&AlexStamosofiSECpresent:“AttackingWebServices:TheNextGenerationofVulnerableEnterpriseApps”AttackingWebServicesSecurityToorConSeattle‘07AttacksOldandNewXML,SOAPandUDDIWhytheOWASPTop10stillmatterNewvariantslikeXML,DTDandXPathInjectionComplexityandDenialofServiceattacksagainstXMLapplicationsAttackingWebServicesSecurityToorConSeattle‘07WebServicescanbescaryDiscoverableComplexVulnerableAttackingWebServicesSecurityToorConSeattle‘07MessageReceivedHalfadozenpresentationsandatleastonebookbyothershavefollowed.(repeatingmostlythesamematerial)Scott&Alexwerecarefulnotto…Butfewresistthetemptationtoofferaneasysolution:AttackingWebServicesSecurityToorConSeattle‘07WS-Security(totherescue)IntegrityConfidentialitySecuritytokensOtherhigher-levelprotocolsfrequentlyconsideredtofallunderthisumbrellaaswell.AttackingWebServicesSecurityToorConSeattle‘07HTTPXML,SOAP,WSDL,Schema,WS-Addressing,etc.XMLDigitalSignaturesXMLEncryptionSAMLKerberosX.509SecurityTokenProfilesWS-TrustWS-FederationWS-SecureConversationWS-PolicyWS-SecurityPolicyWS-Security.NetTCPChannel,FastInfoSet,etc.WS-ActuallyGetSomeWorkDoneAttackingWebServicesSecurityToorConSeattle‘07SSLisEverybody’sWhippingBoyTooold,boringandstandardformarketerstosell.WS-Securityhasdozensofnewboxestocheck.Eventhesmartbloggersandpunditsarehatin’IanGrigg(financialcryptography.com)“ThemantraofyoushoulduseSSLisjustplainstupid.”GunnarPeterson(1raindrop.typepad.com)“SSLiswhatisusuallybandiedaboutasasecuritymodelbyRestafarians”Arthur(emergentchaos.com)“leastusefulsecuritytechnologysincetinfoilunderwear”Andthat’salljustinthefirstweekofMay,2007.AttackingWebServicesSecurityToorConSeattle‘07“ConnectionOriented”isOldandBusted“MessageOriented”istheNewHotnessAttackingWebServicesSecurityToorConSeattle‘07IRespectfullyDisagreeSSLprovideswhatisneededformostrealworldWebServicesdeployments.WS-Securityistoocomplex,tooerrorproneandhastoomuchattacksurface.Apleaforsecuritysanityandsimplicity.AttackingWebServicesSecurityToorConSeattle‘07SometerminologyWSSE==WS-SecurityWhenIsaySSL,ImeanSSLv3andTLS10yearsofhabit.EverybodyknowsSSL.TLSsoundslikeacableTVnetworkoradisease.AndImeanwithclientcertificateauth.AttackingWebServicesSecurityToorConSeattle‘07RealityofSecureWebServicesAlmostnobodyisdeployingthemtopublicaudiences.Almostnobodyisdeployingnon-WSSEWebServicestowidepublicaudiences.WebSSOsystemsarethepseudo-exceptionManypublicusersStillonlyahandfuloftrustedWSSE-awareendpointsAttackingWebServicesSecurityToorConSeattle‘07Wherearetheyreally?UsedinternallyforSOAenterprisemessagebuses.AndtoexposeafewB2Bendpointstoafewtrustedcustomers.Standardinterface,goesthroughfirewalls.B2BVPNsaretoomuchofahassle.AttackingWebServicesSecurityToorConSeattle‘07ThreatRealitiesBusinessesplacealotoftrustintheirpartners.ITriskmanagementisrolledupwithotherfraud,errorsandomissionsandmanagedwithcontracts,auditandlawyers.Stillneedtobuildrobustapplications,butattacksatthebusinesslogiclayer(SQLinjection,etc)arenotthebiggestconcern.AttackingWebServicesSecurityToorConSeattle‘07ExcludetheAnonymousAttackerThebiggestthreatforWebServiceendpointsexposedtothepublicInternetistheanonymousattacker.Thesecuritytechnologyyouwantshouldauthenticateyourgenuineusersandexcludeeveryoneelseasthoroughlyandefficientlyaspossible.AttackingWebServicesSecurityToorConSeattle‘07Whymessageorientedsecuritysucks.AttackingWebServicesSecurityToorConSeattle‘07Reason1:AttackSurfaceTomakeasecuritydecisionaboutamessage,youneedtohaveamessage!Gettingamessageisnotfree.GettingaWS-*messageissuperextranotfree.AttackingWebServicesSecurityToorConSeattle‘07HTTPXML,SOAP,WSDL,Schema,WS-Addressing,etc.XMLDigitalSignaturesXMLEncryptionSAMLKerberosX.509SecurityTokenProfilesWS-TrustWS-FederationWS-SecureConversationWS-PolicyWS-SecurityPolicyWS-Security.NetTCPChannel,FastInfoSet,etc.WS-ActuallyGetSomeWorkDoneSSLAttackingWebServicesSecurityToorConSeattle‘07SSLSSLAnonymousAttackSurfaceAttackingWebServicesSecurityToorConSeattle‘07HTTPXML,SOAP,WSDL,Schema,WS-Addressing,etc.XMLDigitalSignaturesXMLEncryptionSAMLKerberosX.509SecurityTokenProfilesWS-TrustWS-FederationWS-SecureConversationWS-PolicyWS-SecurityPolicyWS-Security.NetTCPChannel,FastInfoSet,etc.WS-SecurityAnonAttackSurfaceAttackingWebServicesSecurityToorConSeattle‘07HTTPXML,SOAP,WSDL,Schema,WS-Addressing,etc.XMLDigitalSignaturesXMLEncryptionSAMLKerberosX.509SecurityTokenProfilesWS-Security.NetTCPChannel,