Difference between revisions of "Testing for WS Replay (OWASP-WS-007)"

From OWASP
Jump to: navigation, search
 
Line 14: Line 14:
  
 
1. Using Ethereal on a network, sniff traffic and filter for web service traffic.
 
1. Using Ethereal on a network, sniff traffic and filter for web service traffic.
 +
 +
<nowiki>
 
<image>
 
<image>
 
<ethereal packet example>
 
<ethereal packet example>
 +
</nowiki>
  
 
2. Using the packets captured by ethereal, use WebScarab to initiate the replay attack by reposting the packet.  It may be necessary to capture many packets over time to determine session id patterns in order to assume a valid session id for the replay attack.
 
2. Using the packets captured by ethereal, use WebScarab to initiate the replay attack by reposting the packet.  It may be necessary to capture many packets over time to determine session id patterns in order to assume a valid session id for the replay attack.
  
<proof of impersonation>
+
<nowiki><proof of impersonation></nowiki>
  
 
'''Result Expected:'''
 
'''Result Expected:'''
Line 30: Line 33:
  
 
1. Does the web service employ some means of preventing the replay attack?  Such as pseudo random Session tokens, Nonces with MAC addresses or Timestamping, for example.
 
1. Does the web service employ some means of preventing the replay attack?  Such as pseudo random Session tokens, Nonces with MAC addresses or Timestamping, for example.
<code example>
+
 
 +
<nowiki><code example></nowiki>
  
 
2. Can the site employ SSL - this will prevent unauthorized attempts to replay messages?
 
2. Can the site employ SSL - this will prevent unauthorized attempts to replay messages?

Revision as of 23:42, 4 November 2006

Contents

Brief Summary

A replay attack is a "man-in-the-middle" type of attack where a message is intercepted and replayed by an attacker to impersonate the original sender. For web services, as with other types of HTTP traffic, a sniffer such as Ethereal or AirSniff can capture traffic posted to a web service and using a tool like WebScarab, a tester can resend a packet to the target server. An attacker can attempt to resend the original message or change the message in order to compromise the host server.


Description of the Issue

This section describes testing replay vulnerabilities of a web service. The threat for a replay attack is that the attacker can assume the identity of a valid user and commit some nefarious act without detection.


Black Box testing and example

Testing for Replay Attack vulnerabilities:

1. Using Ethereal on a network, sniff traffic and filter for web service traffic.

<image> <ethereal packet example>

2. Using the packets captured by ethereal, use WebScarab to initiate the replay attack by reposting the packet. It may be necessary to capture many packets over time to determine session id patterns in order to assume a valid session id for the replay attack.

<proof of impersonation>

Result Expected:

The tester can assume the identity of the attacker.

Gray Box testing and example

Testing for Replay Attack vulnerabilities

1. Does the web service employ some means of preventing the replay attack? Such as pseudo random Session tokens, Nonces with MAC addresses or Timestamping, for example.

<code example>

2. Can the site employ SSL - this will prevent unauthorized attempts to replay messages?

References

W3C Web Services Architecture (http://www.w3.org/TR/ws-arch/)

Tools

EICAR (http://www.eicar.org/anti_virus_test_file.htm)

WebScarab (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)