At DefCon 13, Alex Stamos of iSec Partners gave a very interesting talk entitled “Attacking Web Services”. In summary, there are currently three known web service attack techniques:
- Injecting XML into an input box, overwriting tags set earlier in the SOAP XML stream
- Injecting XPath search queries into an input box, thwarting the select Boolean logic
- Creating a valid but very deep and complex SOAP header, causing the web service to consume a large amount of system resources (a denial of service attack).
The XML and XPath injection techniques are very similar to common SQL injection techniques used to infiltrate web applications that build SQL queries directly from user input (see http://www.securiteam.com/securityreviews/5DP0N1P76E.html for a good review of SQL injection). The solution to XML and XPath injections is the same: remove or escape special characters (brackets and quotes) from user input before processing the data. While data cleaning issues have been known for a long time, new tutorials and examples still do not do them, leading to a whole new generation of programmers who write insecure code.
A simple technique to counteract a complex SOAP header DoS attack is to limit the maximum size of a web service request. The following Microsoft TechNet article describes how to limit request size in IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;310156&sd=tech. For limiting the request size in Apache see: http://perl.apache.org/docs/2.0/api/Apache2/SizeLimit.html.
The full presentation on “Attacking Web Services” is available at: http://www.isecpartners.com/documents/iSEC-Attacking-Web-Services.DefCon.pdf.
One response to “DefCon: Web Service Intrusion — Same Security Holes, New Technology”
Same Security Holes, New Technology
M’colleague at TCG, Robert Buccigrossi, has just posted a great review of a talk at DefCon 13 (a hackers conference held in Las Vegas) about using same-old same-old techniques to hack new technologies like Web Services. It’s astonishing that hacks