Testing for Naughty SOAP Attachments (OWASP-WS-006)

Revision as of 10:34, 29 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/bireba/avguard-antivirus.html antivirus linux review ] [http://s1.shard.jp/olharder/agencias-auto.html online auctions ebay auto auction ] [http://s1.shard.jp/olharder/auto-reply-business.html specialty travel adventure and sports auto racing tours ] [http://s1.shard.jp/galeach/new194.html melodic intonation therapy for expressive aphasia ] [http://s1.shard.jp/frhorton/ru9zwzdr5.html provincial map of south africa ] [http://s1.shard.jp/losaul/weight-loss-medication.html kununurra australia ] [http://s1.shard.jp/losaul/epoxy-surfboards.html big pond australia ] [http://s1.shard.jp/galeach/new41.html mxlogic asia image filtering ] [http://s1.shard.jp/galeach/new4.html asian female washington ] [http://s1.shard.jp/olharder/napa-auto-parts.html dirt cheap auto insurance michigan ] domain [http://s1.shard.jp/frhorton/vuku1m6uz.html south africa air cargo ] [http://s1.shard.jp/losaul/murrays-buses.html top end shoes australia ] auto buy .com [http://s1.shard.jp/losaul/when-is-fathers.html australian defence industries ] [http://s1.shard.jp/bireba/norton-antivirus.html mcfee antivirus updates ] [http://s1.shard.jp/frhorton/x5dh8y75v.html distance tables south africa ] [http://s1.shard.jp/bireba/antivirus-software.html mcafee antivirus free trials ] page [http://s1.shard.jp/frhorton/9vces3l25.html cosmetic surgery south africa ] [http://s1.shard.jp/frhorton/yoc3js17e.html wild coast accommodation south africa ] [http://s1.shard.jp/frhorton/iyc9ldho5.html malaga hotel south africa ] [http://s1.shard.jp/losaul/2004-australian.html australian quantity surveyors ] [http://s1.shard.jp/bireba/grisoft-antivirus.html norton free trial antivirus ] [http://s1.shard.jp/olharder/automobile-chart.html auto clickbank clickbank directory directory directory directory go2clickbank.com parenting ] [http://s1.shard.jp/losaul/australia-installation.html what is boxing day in australia ] charity children africa [http://s1.shard.jp/galeach/new62.html asian symbol ] [http://s1.shard.jp/galeach/new44.html dog hip displasia ] [http://s1.shard.jp/galeach/new45.html asian doll uncut 1 ] [http://s1.shard.jp/olharder/ch-futterautomat.html autodisconnect windows xp ] [http://s1.shard.jp/frhorton/eustnj89y.html african art info ] [http://s1.shard.jp/olharder/auto-club-country.html automobile bill free sale texas ] [http://s1.shard.jp/frhorton/4dqjbtjm2.html africanism records ] top [http://s1.shard.jp/olharder/automate-552.html viper auto alarm operators manual ] [http://s1.shard.jp/bireba/cheap-norton-antivirus.html antivirus for worms ] [http://s1.shard.jp/bireba/removing-norton.html panda antivirus titanium 2004 keygen ] [http://s1.shard.jp/losaul/real-estate-for.html australia court house in number phone sydney ] url [http://s1.shard.jp/frhorton/os7hwbkxo.html macbeth london african ] [http://s1.shard.jp/galeach/new78.html tales of phantasia psx english patch ] [http://s1.shard.jp/frhorton/9rxlvcl6n.html time in johannesburg south africa ] [http://s1.shard.jp/frhorton/rqxyy3ubg.html credit bureau in south africa ] [http://s1.shard.jp/olharder/ontegra-automotive.html winauto ] map [http://s1.shard.jp/losaul/holiday-accommodation.html meterology bureau australia ] [http://s1.shard.jp/olharder/auto-wrap-graphics.html noutati auto ] [http://s1.shard.jp/bireba/review-antivirus.html symantec antivirus liveupdate error ] [http://s1.shard.jp/galeach/new177.html asian sea ara ] OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Brief Summary

This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.

Description of the Issue

Binary files, including executables and document types that can contain malware, can be posted using a web service in several ways. These files can be sent as a parameter of a web service method; they can be sent as an attachment using SOAP with Attachments, and they can be sent using DIME (Direct Internet Message Encapsulation) and WS-Attachments.

An attacker can craft an XML document (SOAP message) to send to a web service that contains malware as an attachment. Testing to ensure the Web Service host inspects SOAP attachments should be included in the web application testing plan.

Black Box testing and example

Testing for file as parameter vulnerabilities:

1. Find WSDL that accepts attachments:

For example:

... <s:element name="UploadFile">
  <s:element minOccurs="0" maxOccurs="1" name="filename" type="s:string" /> 
  <s:element minOccurs="0" maxOccurs="1" name="type" type="s:string" /> 
  <s:element minOccurs="0" maxOccurs="1" name="chunk" type="s:base64Binary" /> 
  <s:element minOccurs="1" maxOccurs="1" name="first" type="s:boolean" /> 
 <s:element name="UploadFileResponse">
 <s:element minOccurs="1" maxOccurs="1" name="UploadFileResult" type="s:boolean" /> 
 </s:element> ... 

2. Attach a test virus attachment using a non-destructive virus like EICAR, to a SOAP message and post to the target Web Service. In this example, EICAR is used.

SOAP message with EICAR attachment (as Base64 data):

POST /Service/Service.asmx HTTP/1.1
Host: somehost
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: http://somehost/service/UploadFile

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
<UploadFile xmlns="http://somehost/service">

Result Expected:

A SOAP response with the UploadFileResult parameter set to true (this will vary per service). The EICAR test virus file is allowed to be stored on the host server and can be redistributed as a PDF.

Testing for SOAP with Attachment vulnerabilities

The testing is similar, however, the request would be similar to the following (note the EICAR base64 info):

POST /insuranceClaims HTTP/1.1
Host: www.risky-stuff.com
Content-Type: Multipart/Related; boundary=MIME_boundary; type=text/xml;
Content-Length: XXXX
SOAPAction: http://schemas.risky-stuff.com/Auto-Claim
Content-Description: This is the optional message description.

Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-ID: <claim061400a.xml@claiming-it.com>

<?xml version='1.0' ?>
<claim:insurance_claim_auto id="insurance_claim_document_id"
<theSignedForm href="cid:claim061400a.tiff@claiming-it.com"/>
<theCrashPhoto href="cid:claim061400a.jpeg@claiming-it.com"/>
<!-- ... more claim details go here... -->

Content-Type: image/tiff
Content-Transfer-Encoding: base64
Content-ID: <claim061400a.tiff@claiming-it.com>

Content-Type: image/jpeg
Content-Transfer-Encoding: binary
Content-ID: <claim061400a.jpeg@claiming-it.com>

...Raw JPEG image..

Result Expected:

The EICAR test virus file is allowed to be stored on the host server and can be redistributed as a TIFF file.