.

Web Services Security

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Sep 01, 2009 7:00 pm

Web Services Security

Ok guys I need your help here. How would you go about securing and 'hacking' web services? What if the web services in question are exposed to the web and contain some important business logic?

Is it a good idea to place important business logic in a public facing web service? If no what would you recommend?

Looking forward to the responses.

Thanks,
DK
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Sep 02, 2009 1:03 am

Re: Web Services Security

Can you give more details about the webservices which are running and the general setup?

I am not completely sure what you mean with business logic, but generally I'd say that no sensitive data or generally data, which is not meant for public, should be stored on a webserver, even if it is not directly accessable or visible.

If you have some time to spend I would recommend you the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.
Beside the mentioned book this whitepaper from NIST (National Institute of Standards and Technology) might interest you too.
<<

Laz3r

Post Wed Sep 02, 2009 2:14 am

Re: Web Services Security

I'm far from knowledgeable on the subject, but I agree with awesec that a little more detail would be helpful.  Webservices can be a pretty muddy word.

I also agree that if the information isn't meant for the public, it shouldn't be on public facing machines.  Where to put this data would really depend on what it is and who needs to see it.  There are definitely a few different options that would be tailored to the specific situation.  Keeping sensitive data in the least amount of hands possible is the best option.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Sep 02, 2009 8:48 am

Re: Web Services Security

For a web app i usually start with dirbuster and grendel scan, then follow up with manual testing...
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Sep 02, 2009 7:37 pm

Re: Web Services Security

Thanks for all the responses. The idea is to have say several clients accessing a public facing web application hosted by a third party. The application will need to access resources locally. So the service there will connect to a local service exposing the methods required to access the data.

So the client would access the web application which would then access a web service(on the third party host) which would then access the local service. Almost like a web service chain. Get the idea?

What is wrong with that setup? How else would you go about it?

if you have some time to spend I would recommend you the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.
Beside the mentioned book this whitepaper from NIST (National Institute of Standards and Technology) might interest you too.

Thanks for that NIST link. I also have the WebHacker's Handbook.

When I spoke about testing web servies I was thinking more along the lines of using tools like Netsquare wsChess suite etc.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

enzo

User avatar

Newbie
Newbie

Posts: 15

Joined: Mon Aug 31, 2009 8:10 am

Post Thu Sep 03, 2009 3:58 am

Re: Web Services Security

w3af - the Web Application Attack and Audit Framework, it takes a bit of fiddling to set-up refer to the user manual for the install instructions, once you have it up and running you can just target the site and tell it to grep and mangle etc. Any holes it'll find them and cough them up in a report, I tried it out and found it finds disclosed as well as undisclosed vulnerabilities on one site I was asked to test I found that even though they where using VERISIGN certificates the site still coughed out credit card details. That made them go back to the drawing board.

It also comes with a Fuzzer which seems to be handy... :D

http://w3af.sourceforge.net/

w3af provides plugin writers with these features:

urllib2 wrapper
   In order to send requests to te remote server w3af uses urllib2. The xUrllib module of w3af is a wrapper of urllib2 to make the plugin writer life easier, using this wrapper a plugin writer can forget about proxy's, proxy auth, basic/digest auth, etc. This is the complete list of features provided by xUrllib:

        - Proxy
        - Proxy auth ( basic and digest )
        - Site auth ( basic and digest )
        - Gracefully handle timeouts
        - UserAgent faking
        - Add custom headers to requests
        - Cookie handling
        - Local cache for GET and HEAD requests
        - Local dns cache, this will speed up scannings. Only one request is made to the DNS server
        - Keep-alive support fot http and https connections
        - File upload using multipart POST requests
        - SSL certificate support

Output Management
   w3af provides plugin writers with an abstraction layer for data output using the Output Manager. The output manager can also be extended using plugins and can be used for writing results to a txt/html file or sending them over the network using scp, the options are endless. Available ouput plugins are:
        - Console
        - Text file

Web Service support
   w3af knows how to parse WSDL files, and audit webservices. Plugin developers can write a simple plugin that will be able to find bugs in web services and also in common HTTP applications.

HTTP headers fuzzing
   w3af supports finding bugs in HTTP headers with great ease!

IPC
   IPC ( inter plugin communication :P) can easily be done using the knowledge base, another w3af feature thats really usefull for plugin developers.

Session saving
   Framework parameters can be saved to a file using the sessionManager. After that, you can load the settings and start the same scan again without configuring all parameters.

Fuzzer
   Right now w3af has a really simple fuzzer, but we have plans to extend it. Fuzzers are great, we know it.

HTML / WML parsing
   w3af provides HTML / WML parsing features that are really easy to use.
Last edited by enzo on Thu Sep 03, 2009 4:09 am, edited 1 time in total.
Why geeks like computers: unzip, strip, touch, finger, grep, mount, fsck, more, yes, fsck, fsck, fsck, umount, sleep.
<<

jakinne

Newbie
Newbie

Posts: 13

Joined: Thu Aug 20, 2009 1:09 pm

Post Thu Sep 03, 2009 8:39 pm

Re: Web Services Security

If you require a trust relationship, you should look into WS-Security.  Assuming you're using J2EE, there is IBM's implementation in WebSphere, and there is also Apache Rampart, the open source alternative. 

If you're using php, here is a good article: http://wso2.org/library/2814.

There are also .net alternatives.

Sorry if I took this in the wrong direction...but if you're looking for message level trust that will go beyond what SSL can provide, ws-security is probably where you want to look.

Justin
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Thu Sep 03, 2009 8:56 pm

Re: Web Services Security

Thanks for the replies.

If you require a trust relationship, you should look into WS-Security.  Assuming you're using J2EE, there is IBM's implementation in WebSphere, and there is also Apache Rampart, the open source alternative.

If you're using php, here is a good article: http://wso2.org/library/2814.

There are also .net alternatives.

Sorry if I took this in the wrong direction...but if you're looking for message level trust that will go beyond what SSL can provide, ws-security is probably where you want to look.

Yep that's the direction I was thinking of. What are the .net alternatives?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

jakinne

Newbie
Newbie

Posts: 13

Joined: Thu Aug 20, 2009 1:09 pm

Post Fri Sep 04, 2009 9:27 am

Re: Web Services Security

I'm not very familiar with the .net implementations of ws-security, but here is a link to an article that discusses microsofts' "web security enhancements" (wse):

http://www.devx.com/security/Article/15634

Also, here is a link to OASIS' standards documents:

http://www.oasis-open.org/committees/tc ... abbrev=wss

Justin

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software