Security of Electronic Voting - Northern Kentucky University

Download Report

Transcript Security of Electronic Voting - Northern Kentucky University

Web Service Security

James Walden Northern Kentucky University

Web Services

Web services are designed to provide: 

Interoperability

: services can be built on any framework in any language.

Reuse

: code can be re-used among different applications.

Services should be  Self-describing  Discoverable  Content-independent  Stateless CSC 666: Secure Software Engineering

Web Service Technologies

1. HTTP 2. XML 3. XPath 4. SOAP 5. WSDL CSC 666: Secure Software Engineering

eXtensible Markup Language

Extensible descriptive markup language framework  Primarily used for data communication and storage.

  Tree-based document structure using <> tags.

Began as simplified subset of SGML.

Chris Pine Learn to Program CSC 666: Secure Software Engineering

XML Tree Structure

Monday’s List Study for midterm SSE Class Bathe cat title Tuesday’s List item Study for midterm todo item Scripting Class priority 10 item Bathe Cat CSC 666: Secure Software Engineering

Elements and Attributes

An element consists of tags and contents Learn to Program Begin and end tags are mandatory.

/>

Tags must be consistently nested.

Attributes number=“0976694042” Elements may have zero or more attributes.

Attribute values must always be quoted.

CSC 666: Secure Software Engineering

XML Entities

Entities are named data.

 Default: < > & ' "  New entities can be defined in DTD.

 Entities definitions can be recursive.

]> ©right-notice; Numeric character references are not entities.

  &#; or &#x; refers to Unicode code point.

© above is used to refer to the copyright symbol.

CSC 666: Secure Software Engineering

XML Syntax Rules

1. There is one and only one root tag.

2. Begin tags must be matched by end tags.

3. XML tags must be properly nested.

4. XML tags are case sensitive.

5. All attribute values must be quoted.

6. Whitespace within tags is part of text.

7. Newlines are always stored as LF.

8. HTML-style comments: CSC 666: Secure Software Engineering

Correctness

Well-formed

 Conforms to XML syntax rules.

 A

conforming

parser will not parse documents that are not well-formed.

Valid

 Conforms to XML semantics rules given in - Document Type Definition (DTD) - XML Schema  A

validating

documents.

parser will not parse invalid CSC 666: Secure Software Engineering

Malicious XML

Insert additional    XML is well formed.

element.

Validity depends on DTD.

Application will accept if it doesn’t validate.

XML Security 59.99 0.01 Nunn Drive Highland Heights KY CSC 666: Secure Software Engineering

Validation

Ensure that elements are present and are leaf nodes.

DTD

Schema

> CSC 666: Secure Software Engineering

Strict Validation

Schemas can also validate data using regexps.

> CSC 666: Secure Software Engineering

Bypassing Validation

Include DTD in malicious XML file.

]> XML Security 59.99 0.01 Nunn Drive Highland Heights KY Alternately: CSC 666: Secure Software Engineering

External Entity References

Use entity references to read files on server filesystem.

]> &eer; CSC 666: Secure Software Engineering

XML Injection

Include element in shipping address.

 User input for street is “Nunn Drive0.01 Nunn Drive” XML Security 59.99 Nunn Drive0.01Nunn Drive Highland Heights KY CSC 666: Secure Software Engineering

XPath

Language for selecting nodes from XML.

  Combines directory-type paths + regexps.

XPath 2.0 basis for XQuery SQL-like language.

Examples      bo: children of bo node /bo: root bo element //bo: all bo elements bo//title: all titles //bo/[price=’39’]: all bo nodes with a price of 39.

XML Security 59.99 Nunn Drive Highland Heights KY CSC 666: Secure Software Engineering

XPath Searching

XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); String query = “//users/user[@name=‘” + name + “’ and @pass=‘” + pass + “’”; return xp.evaluate(query, input); CSC 666: Secure Software Engineering

XPath Injection

Set pass to ‘ or ‘a’ = ‘a   //users/user[name=‘John’ and pass=‘’ or ‘a’ = ‘a’] Returns all users.

Set name to ‘ or id=1 or ‘’=‘  //users/user[name=‘John’ or id=1 or ‘’=‘’ and pass=‘letmein’]  Returns all users with id=1 XQuery Injection in the future   Supports conditionals + loops.

User-defined functions.

CSC 666: Secure Software Engineering

Mitigating XPath Injection

Use XPath bind variables  Similar to SQL prepared statement variables.

XPathFactory xfac = XPathFactory.newInstance(); XPath xp = xfac.newXPath(); InputSource input = new InputSource(xmlFile); XPathBindVariables bv = new XPathBindVariables(); xp.setXPathVariableResolver(bv); bv.bindVar(“ID”, id); bv.bindVar(“NAME”, name); String query = “//users/user[@name=$NAME and @pass=$PASS”]”; return xp.evaluate(query, input); CSC 666: Secure Software Engineering

SOAP

Simple Object Access Protocol  RPC protocol using XML methods.

 Primarily uses HTTP as transport protocol, to bypass firewalls and support proxies.

Vulnerabilities  XML injection  Session management  Identified + documented by WSDL CSC 666: Secure Software Engineering

SOAP Request

POST /order HTTP/1.1 Host: example.com

Content-Type: text/xml; charset="utf-8" Content-Length: nnnn 978-0321424778 1 CSC 666: Secure Software Engineering

SOAP Response

HTTP/1.1 200 OK Content-Type: text/xml; charset="utf-8" Content-Length: nnnn 978-0321424778 49.99 1 CSC 666: Secure Software Engineering

WSDL

Web Services Description Language    

Service

: contains set of messages.

Message

: an individual operation.

Port

: address (URL) of service.

Binding

: port type, such as SOAP and SOAP binding type.

CSC 666: Secure Software Engineering

WSDL Enumeration

Obtain list of services and messages.

 WSDL file typically published by default.

Finding WSDL files  Append ?WSDL or .WSDL to service URL.

 Lookup WSDL files on UDDI servers.

 Google hacking, filetype:wsdl inurl:wsdl Mitigation  Avoid publishing WSDL file.

 J2EE: remove wsdl.location from properties.

CSC 666: Secure Software Engineering

1.

6.

7.

8.

9.

2.

3.

4.

5.

References

Nischal Bhalla and Sahba Kazerooni, “Web Services Vulnerabilities,” Black Hat Briefings EU, http://www.blackhat.com/presentations/bh europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf

, 2007.

Brian Chess and Jacob West,

Secure Programming with Static Analysis

, Addison-Wesley, 2007.

Billy Hoffman and Bryan Sullivan,

AJAX Security

, Addison-Wesley, 2008.

Paco Hope and Ben Walther,

Web Security Testing Cookbook

, O’Reilly, 2009.

iSEC Partners, Attacking Web Services, OWASP AppSec DC, https://www.isecpartners.com/documents/iSEC-Attacking-Web Services.OWASP.pdf

, 2005.

Ramarao Kanneganti and Prasad Chodavrapu,

SOA Security

, Manning, 2008.

OWASP, OWASP Guide to Building Secure Web Applications, http://www.owasp.org/index.php/OWASP_Guide_Project , 2009.

Dafydd Stuttart and Marcus Pinto,

The Web Application Hacker’s Handbook

, Wiley, 2008.

w3schools, SOAP Tutorial, http://www.w3schools.com/soap/default.asp.