12 Web Services
12 Web Services
12 Web Services
Introduction
12.4. Attacks
We will see how SOAP web services are built, how we can
fingerprint them but also, find vulnerabilities and exploit them.
As you can imagine, the body of the request is in XML; thus, it can
be used to send complex record and list structures.
<?xml version="1.0"?>
<methodCall>
Payload format, which is XML
<methodName>My.Method</methodName> and must contain <methodCall>
<params>
<param>
with the <methodName> sub-
<value>www.google.com</value> item.
</param>
</params> Other required items can be
</methodCall> found here.
http://xmlrpc.scripting.com/spec.html
Note that SOAP web services may also provide a Web Services
Definition Language (WSDL) declaration that specifies how they
may be used.
REST web services generally use JSON or XML, but any other
message transport format (such as plain-text) is possible.
https://www.ibm.com/developerworks/library/ws-restful/
Although 2.0 is the current version, many web services still use
WSDL 1.1 therefore, in the next slides we will see both WSDL
specifications.
https://www.w3.org/TR/wsdl/
https://www.w3.org/TR/wsdl20-primer/#basics
Web Application Penetration Testing 3.0 – Caendra Inc. © 2018
First of all, it is important to know that WSDL documents have
abstract and concrete definitions:
• Abstract: describes what the service does, such as the
operation provided, the input, the output and the fault
messages used by each operation
<types>..</types>
<types>..</types>
Abstract <message>..</message>
description <interface>..</ interface>
<portType>..</ portType>
<wsdl:portType name="HelloServicePortType">
<wsdl:operation name="sayHello">
<wsdl:input message="ns:sayHelloRequest"/>
<wsdl:output message="ns:sayHelloResponse“/>
</wsdl:operation>
</wsdl:portType>
<wsdl:message name="sayHelloRequest">
<wsdl:part name="name" element="ns:sayHello"/>
</wsdl:message>
<xs:element name="sayHello">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string"/>
<xs:element name="surname" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
https://www.wireshark.org/
In the response, we
have the page showing
the student information.
https://msdn.microsoft.com/en-us/library/ms996486.aspx#understand_topic5 https://www.ibm.com/developerworks/webservices/tutorials/ws-understand-web-
https://docs.oracle.com/cd/E57990_01/pt853pbh2/eng/pt/tibr/concept_UnderstandingProvi services2/ws-understand-web-services2.html
dingWSDLDocuments-076201.html#topofpage
Web Application Penetration Testing 3.0 – Caendra Inc. © 2018
Web Application Penetration Testing 3.0 – Caendra Inc. © 2018
When dealing with web service security, accessing the WSDL file is
the first step; this gives us the full list of operations and types
allowed by the server as well as the correct syntax to use, inputs,
outputs and all the useful information we may need to run
successful attacks.
In the next slides, we will see how attackers and penetration tester
may be able to enumerate WSDL files.
https://msdn.microsoft.com/en-us/library/cy2a3ybs(v=vs.100).aspx
http://uddi.xml.org/
http://www.soapclient.com/uddisearch.html
Web Application Penetration Testing 3.0 – Caendra Inc. © 2018
Once we find WSDL files, we can start inspecting them and gather
valuable information about the web service. As you already know,
this allows us to gather information such as operations, data,
syntax and much more.
In the next attack, we will assume the attacker already has access
to the WSDL file of the target web service.
• The attacker has access to the WSDL file and knows all the services
(methods) offered by the server application.
• The attacker knows and can reach the end-point of the web service.
• Some web service methods are protected by a firewall and cannot
be invoked.
• The firewall filters the requests only by SOAP body.
• The server application relies on the SOAPAction header to detect
the operation type.
• The attacker has access to the WSDL file and knows two
interesting operations: getUserInfo and deleteAllStudents
• A firewall filters out requests coming from remote clients
invoking the operation deleteAllStudents. Local client
requests are allowed.
• The firewall uses only the SOAP body to filter requests.
• The server application relies on the SOAPAction header to
detect the operation type.
The firewall will not filter the request because the SOAP body is
allowed.
Most of the time, the client application will take care of this,
however, in case you are issuing raw requests to the web services,
let’s see how things work.
SOAP WSDL
https://www.w3schools.com/xml/xml_soap.
http://www.w3.org/TR/wsdl20-primer/
asp
DISCO UDDI
https://msdn.microsoft.com/en-
http://uddi.xml.org/
us/library/vstudio/cy2a3ybs(v=vs.100).aspx
X-Path Injection
https://www.owasp.org/index.php/XPATH_In
jection