[WEB SECURITY] Web Service Security

Mario Robles whitehatcr at gmail.com
Wed Nov 20 19:47:26 EST 2013


I've found that chaining SoapUI with burp suite as it's proxy helps a lot
during WS testing

IBM Appscan have a tool for testing WS as well

Cheers,

Mario

El 20/11/2013, a las 05:26 p.m., Pawel Krawczyk <pawel.krawczyk at hush.com>
escribió:

Fully subscribe to Brett’s comment.

Web services are very sensitive to a specific standard and implementation.
One family is SOAP, which is multilayer protocol so even a simple service
looks very complex. This is why there are no “point-and-click” SOAP
security scanners - each scanner is actually a client for specific service
and needs to be implemented from scratch. If you have WSDL, it’s quite
easy. You can code it in Java, .NET, Python or SoapUI. One of the
commercial scanners also has a built-in SOAP client, similar to SoapUI (I
don’t remember which - IBM AppScan or HP WebInspect).

At the end of the day you actually get a fuzzer and what you’re looking for
are all kind of standard issues - unhandled exceptions, error messages etc.
The good side is that SOAP programmes rarely sanitise their error messages
in a fully justified belief that no normal human will look at these
responses :)

It’s more challenging if the service uses advanced features such as digital
signature or encryption, because as far as I’ve seen this domain can be not
fully standardised. If you get there, you’ll practically need to
reimplement the service’s client. And you might find out that there’s no
good library for that in your favourite programming language, or there’s no
library apart from one delivered by a vendor. Welcome to the murky world of
proprietary business protocols… For Java there’s a book that helped me a
lot with understanding the SOAP world  - “Building web services with Java” (
http://amzn.to/1auRwqA)

A separate class of applications using web services are client-facing apps
with most of the presentation logic implemented in JavaScript (e.g.
AngularJS) and just pulling data from the server over AJAX or REST. I like
them because it’s easy to draw a trust boundary, the HTTP communications
are easy to read and the APIs are also rather simple and clear to
understand. Most of the manual testing tools such as BurpSuite will handle
them pretty well.

Typical issues you’ll find in headless web services alone will be related
to SQL, broken authentication and access controls. In case of modern AJAX
apps, you’ll actually need to look at two sides: one is the web service,
the other is the presentation layer. DOM-based XSS is prevalent here, but
if you properly tested the API, you can be pretty confident that you’ll not
get a data breach as all data goes through the API. Which is also a
wonderful situation from secure coding perspective - e.g. in Spring (Java)
the API definitions can be stored in single place, which makes code review
and possible fixes much easier.


On 20 Nov 2013, at 21:56, Brett Knuth <brett.knuth at healthdirect.org.au>
wrote:

For what it’s worth ……

We always take a risk based approach and map the possible threats to the
web app depending on its specific components
Build an attack tree or a threat table XLS, an example below
*Injection*
SQL Injection
Web logs/application logs
HTTP request (GET/POST request, source IP, UserAgent, referrer, date/time)



Once documented and risk assessed we then vulnerability and pen test,
remediating the most critical risk assessed

*Brett Knuth*
Security Manager

*P.* xxxxxxxxxxx  *M.* 0402 891 533 *F.* 02 9283 9180
*MAIL.* Suite 3, Level 19, 133 Castlereagh St Sydney NSW 2000
*E. *brett.knuth at healthdirect.org.au
<image002.jpg>

*Please consider the environment before printing this email*

Important notice: This message and any attachments are confidential and may
contain legally privileged or copyright material. Any confidentiality or
privilege is not intended to be waived or lost by mistaken delivery to you.
If you are not the intended recipient, any unauthorised use is strictly
prohibited. If you have received this email in error, please notify us and
destroy the original transmission and any copies. It is your responsibility
to check any attachments for viruses and defects before opening them or
sending them on.


*From:* websecurity
[mailto:websecurity-bounces at lists.webappsec.org<websecurity-bounces at lists.webappsec.org>
] *On Behalf Of *Seth Art
*Sent:* Thursday, 21 November 2013 6:44 AM
*To:* Info Sec
*Cc:* websecurity at lists.webappsec.org
*Subject:* Re: [WEB SECURITY] Web Service Security

Info Sec,

That is a hard question to answer.  There are different types of Web
Services, each type has multiple implimenations, and each implimetnation
allows for different configuration options.

The security testing is different depending on type, the implimentation,
and the configuration of each web service.

For a high level overview of Web Service Security, I have found the
following document helpful:
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Some tools that you can use to test web services are:

Any web proxy (Burp Suite, Fiddler, ZAP, etc) - For all web services
SoapUI - for SOAP based web services where you have access to the WSDL
Oyedata - For RESTful web services that use OData

Good luck.  Hopefully someone else on the list can provide more
information.

-Seth



On Tue, Nov 19, 2013 at 6:51 AM, Info Sec <infosecm at gmail.com> wrote:
Hi !,

I'm looking for resources help me to identify web service security issues,
and how to fix them.

I just found OWASP Web Service Security Cheat Sheet talking about this
matter.
I know that web service security issues is very similar to web
applications, but there is always something you unaware of.


OWASP Web Service Security Cheat Sheet:
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet


Regards,



_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



-- 
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7462 166716
CISSP, OWASP



_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20131120/9a5ef1dd/attachment-0003.html>


More information about the websecurity mailing list