Difference between revisions of "Testing for XML Content-Level (OWASP-WS-004)"

From OWASP
Jump to: navigation, search
(Black Box testing and example)
(Reverting to last version not containing links to www.textricviboerchi.com)
 
(28 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 +
{{Template:OWASP Testing Guide v3}}
 +
 
== Brief Summary ==
 
== Brief Summary ==
 
Web Services are designed to be publicly available to provide services to clients using the internet as the common communication protocol.  These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP.  These messages can contain method calls and related parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc.  Legacy applications exposed by the service may be vulnerable to malicious input that was previously not an issue.  In addition because the server hosting the Web Service will need to process this data, it may be vulnerable if it is unpatched or otherwise unprotected from malicious content. 
 
  
An attacker can craft an XML document(SOAP message) that contains malicious elements in order to compromise the target system.  Testing for proper content validation should be included in the web application testing plan.  
+
Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc.  Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) Command Injection.
  
 
== Description of the Issue ==
 
== Description of the Issue ==
 
   
 
   
This type of attack targets the system hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc.  Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) command injection.
+
Web Services are designed to be publicly available to provide services to clients using the Internet as the common communication protocol.  These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP.  SOAP messages contain method calls with parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc.  Legacy applications exposed by the service may be vulnerable to malicious input that when previously limited to a private network was not an issue.  In addition, because the server hosting the Web Service will need to process this data, the host server may be vulnerable if it is unpatched or otherwise unprotected from malicious content (e.g., plain text passwords, unrestricted file access)
 +
 
 +
An attacker can craft an XML document (SOAP message) that contains malicious elements in order to compromise the target system.  Testing for proper content validation should be included in the web application-testing plan.
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
Line 13: Line 15:
 
'''Testing for SQL Injection or XPath Injection vulnerabilities'''
 
'''Testing for SQL Injection or XPath Injection vulnerabilities'''
  
1.  Examine the WSDL for the Web Service.  WebScarab, an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.
+
1.  Examine the WSDL for the Web Service.  [[OWASP_WebScarab_Project|WebScarab]], an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.
 +
[[Category:FIXME|these images are blurry, can we replace them?]]
  
 
  [[Image:482WebScarab1.png]]
 
  [[Image:482WebScarab1.png]]
Line 21: Line 24:
 
  [[Image:482WebScarab2.png]]
 
  [[Image:482WebScarab2.png]]
  
Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed.  If this is used to login, if the value is not validated, the login will succeed because 1=1.
+
Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed.  If this is used to log in, if the value is not validated, the login will succeed because 1=1.
  
 
The values for the operation:
 
The values for the operation:
Line 28: Line 31:
 
<password>' OR 1=1</password>
 
<password>' OR 1=1</password>
  
could translate in SQL as: WHERE userid = 'myuser' and password = '' OR 1=1 and in XPath as: //user[userid='myuser' and password='' OR 1=1]
+
could translate in SQL as: <nowiki>WHERE userid = 'myuser' and password = '' OR 1=1</nowiki> and in XPath as: <nowiki>//user[userid='myuser' and password='' OR 1=1]</nowiki>
  
 
'''Result Expected:'''
 
'''Result Expected:'''
  
A tester than can continue using the web service in a higher privilege if authenticated or execute commands on the database.
+
A tester can then continue using the web service in a higher privilege if authenticated, or execute commands on the database.
  
  
 
'''Testing for buffer overflow vulnerabilities:'''
 
'''Testing for buffer overflow vulnerabilities:'''
  
It is possible to execute arbitrary code on vulnerable web servers via a web service.  Sending a specially crafted HTTP request to a vulnerable application can cause an overflow and allow an attacker to execute code.  Using a testing tool like MetaSploits or developing your own code, it is possible to craft a reusable exploit test.  MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit and is available as from MetaSploits as "mailenable_auth_header."  The vulnerability is listed at the Open Source Vulnerability Database.   
+
It is possible to execute arbitrary code on vulnerable web servers via a web service.  Sending a specially-crafted HTTP request to a vulnerable application can cause an overflow, and allow an attacker to execute code.  Using a testing tool like Metasploit or developing your own code, it is possible to craft a reusable exploit test.  MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit, and is available from Metasploit as "mailenable_auth_header."  The vulnerability is listed at the Open Source Vulnerability Database.   
  
 
'''Result Expected:'''
 
'''Result Expected:'''
  
 
Execution of arbitrary code to install malicious code.
 
Execution of arbitrary code to install malicious code.
 +
 +
== Grey Box testing and examples ==
 +
 +
1. Are parameters checked for invalid content - SQL constructs, HTML tags, etc.?  Use the [[Cross-site Scripting (XSS)|OWASP XSS guide]]  or the specific language implementation, such as htmlspecialchars() in PHP and never trust user input.
 +
 +
2. To mitigate buffer overflow attacks, check the web server, application servers, and database servers for updated patches and security (antivirus, malware, etc.).
  
 
== References ==
 
== References ==
 +
'''Whitepapers'''<br>
 +
* OSVDB - http://www.osvdb.org
 +
 +
'''Tools'''<br>
 +
* [[OWASP_WebScarab_Project|OWASP WebScarab]]: Web Services plugin
 +
 +
 +
[[Category:FIXME|link not working
 +
  
OSVDB
+
* NIST Draft publications (SP800-95): "Guide to Secure Web Services" - http://csrc.nist.gov/publications/drafts/Draft-SP800-95.pdf
  
'''Whitepapers'''
+
* MetaSploit - http://www.metasploit.com
  
NIST.gov Web Services Draft
 
  
'''Tools'''
+
Note: this site is mentioned in the text, so a change to the text is needed
  
OWASP's WebScarab Proxy
 
  
MetaSploits
+
]]

Latest revision as of 13:29, 27 May 2009

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


Brief Summary

Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) Command Injection.

Description of the Issue

Web Services are designed to be publicly available to provide services to clients using the Internet as the common communication protocol. These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP. SOAP messages contain method calls with parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc. Legacy applications exposed by the service may be vulnerable to malicious input that when previously limited to a private network was not an issue. In addition, because the server hosting the Web Service will need to process this data, the host server may be vulnerable if it is unpatched or otherwise unprotected from malicious content (e.g., plain text passwords, unrestricted file access).

An attacker can craft an XML document (SOAP message) that contains malicious elements in order to compromise the target system. Testing for proper content validation should be included in the web application-testing plan.

Black Box testing and example

Testing for SQL Injection or XPath Injection vulnerabilities

1. Examine the WSDL for the Web Service. WebScarab, an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.

482WebScarab1.png

2. In WebScarab, modify the parameter data based on the WSDL definition for the parameter.

482WebScarab2.png

Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed. If this is used to log in, if the value is not validated, the login will succeed because 1=1.

The values for the operation:

<userid>myuser</userid> <password>' OR 1=1</password>

could translate in SQL as: WHERE userid = 'myuser' and password = '' OR 1=1 and in XPath as: //user[userid='myuser' and password='' OR 1=1]

Result Expected:

A tester can then continue using the web service in a higher privilege if authenticated, or execute commands on the database.


Testing for buffer overflow vulnerabilities:

It is possible to execute arbitrary code on vulnerable web servers via a web service. Sending a specially-crafted HTTP request to a vulnerable application can cause an overflow, and allow an attacker to execute code. Using a testing tool like Metasploit or developing your own code, it is possible to craft a reusable exploit test. MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit, and is available from Metasploit as "mailenable_auth_header." The vulnerability is listed at the Open Source Vulnerability Database.

Result Expected:

Execution of arbitrary code to install malicious code.

Grey Box testing and examples

1. Are parameters checked for invalid content - SQL constructs, HTML tags, etc.? Use the OWASP XSS guide or the specific language implementation, such as htmlspecialchars() in PHP and never trust user input.

2. To mitigate buffer overflow attacks, check the web server, application servers, and database servers for updated patches and security (antivirus, malware, etc.).

References

Whitepapers

Tools