Testing for Security Risks in a Web 2.0/SOA World Billy Hoffman, Lead Security Researcher, HP Overview What is Web 2.0? • Definitions Web 2.0 Technologies • RSS • Web Services and SOA • AJAX How Web 2.0 Changes the Threat Landscape • Attack Vectors • Secure Coding Practices Conclusion What is Web 2.0? Tim O’Reilly • Web 2.0 is the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Wikipedia • Web 2.0...refers to a perceived second-generation of Web based communities and hosted services — such as social networking sites, wikis and folksonomies — that facilitate collaboration and sharing between users. Web 2.0 Timeline My Definition Web 1.0 • Incomplete pages were shameful • “Please come back later when we’re ready” Web 2.0 • Incomplete pages are a feature! • “Stick around and help us improve the site” Same Vulnerabilities Additional Input Vectors More Complexity Overview What is Web 2.0? • Definitions Web 2.0 Technologies • RSS • AJAX • Web Services How Web 2.0 Changes the Threat Landscape • Attack Vectors • Secure Coding Practices Conclusion Web Feeds (RSS & Atom) Web Feed Reader Web Feed Technologies “I love standards…there are so many to choose from…” RSS 2.0 • Really Simple Syndication RSS 0.91 and 1.0 • Rich Site Summary RSS 0.9 • RDF Site Summary Atom • Atom Syndication Format (RFC 4287) Web Feed Timeline Sample RSS Feed – New York Times <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel> <title>NYT > Home Page</title> <link>http://www.nytimes.com/index.html?partner=rssnyt</link> <description>New York Times > Breaking News, World News &amp; Multimedia</description> <language>en-us</language> <copyright>Copyright 2007 The New York Times Company</copyright> <lastBuildDate>Tue, 1 May 2007 01:05:01 EDT</lastBuildDate> … <item> <title>Torre and Cashman Are Safe, for Now</title> <link>http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html?ex=1335672000&amp;e n=d3e1e3550cf1a49c&amp;ei=5088&amp;partner=rssnyt&amp;emc=rss</link> <description>The Yankees' owner said he supports the team's manager and general manager but that he is also impatient.</description> <author>TYLER KEPNER</author> <guid isPermaLink="false">http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html</ guid> <pubDate>Tue, 01 May 2007 00:35:27 EDT</pubDate> </item> Attack Scenarios Malicious Operator • Owner of web feed intentionally injects malicious content into web feed • Subscribers would be affected when the content was downloaded/viewed • Not a likely attack scenario as the perpetrator could easily be identified Compromised Host • Attacker compromises trusted host and is able to inject content into heavily subscribed web feed • Trusted host has already taken care of generating traffic for the attacker Open Content • Web site allows (un)trusted users to supply content • Content is published and made available via a web feed • An attacker could leverage this setup to inject malicious content into a web feed • Mailing lists, forums, message boards and other open venues are often delivered as web feeds Open Content Attack Input Validation Input Validation • Virtually all vulnerabilities result from improper input validation • Attackers supply input for which error handling routines do not exist • This can leave a system in an exploitable condition Remember… • …trust, but verify Channel 14 News Real time ticker • Initial submission underwent human validation • Subsequent submissions permitted in real time Solutions Server Side • White listing • Build regular expressions to define appropriate input • Black listing • Restrict HTML to appropriate tags only • Take extreme care to take all possible encoding schemes into account • HTML encode user supplied content Client Side • Receive content only from trusted sources • Ensure that the RSS/Atom reader being used is not susceptible to feed injection Web Services and SOA Web Services Architecture Service Provider Discovery Agencies - SOAP - WSDL - UDDI - DISCO - Etc. Publish Interact Find ` Service Requestor Inputs - WSDL http://api.google.com/GoogleSearch.wsdl <message name="doGoogleSearch"> <part name="key" type="xsd:string"/> <part name="q" type="xsd:string"/> <part name="start" type="xsd:int"/> <part name="maxResults" type="xsd:int"/> <part name="filter" type="xsd:boolean"/> <part name="restrict" type="xsd:string"/> <part name="safeSearch" type="xsd:boolean"/> <part name="lr" type="xsd:string"/> <part name="ie" type="xsd:string"/> <part name="oe" type="xsd:string"/> </message> ... <service name="GoogleSearchService"> <port name="GoogleSearchPort" binding="typens:GoogleSearchBinding"> <soap:address location="http://api.google.com/search/beta2"/> </port> </service> Web Services Challenges What don’t web services change? • Web services do not create new vulnerabilities What do web services change? • Web applications may advertise input vectors • WSDL files • Web applications may advertise their existence • UDDI • DISCO How do web services affect security? • New input vectors • Testing tools must understand web services protocols • SOAP Web Services Attacks Cross Site Request Forgery • Abuse the trust established between a browser and server to force unwanted user actions Cross Site Scripting • Inject client side script into a web page SQL Injection • Ability to influence back end SQL Queries Session Hijacking • Ability to predict/intercept session credentials Etc. • This list could go on forever Verdict • Web Services can be exposed to the same vulnerabilities as web applications! Myths of Web Service Security Web services involve machine to machine communication and would/could therefore never be targeted by an attacker • SOAP requests can easily be forged manually or using point and click freeware tools (e.g. Foundstone WSDigger) • In some ways, web services are a goldmine for an attacker as they advertise their existence and reveal expected inputs I can simply strip out this cool functionality and expose it using a web service without compromising security • Web application security may be left behind when specific pieces of business logic are exposed via a web service Solution Web services can and should be just as secure as any other web application but they won’t get there on their own Web services should go through the same secure coding practices as other applications Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target. Solutions Testing • Web services should go through the same secure coding practices as other applications • Do not assume that web services will not be a target for attackers as they exist “behind the scenes”. This can make them an even more attractive target. Overall • Web services can and should be just as secure as any other web application but they won’t get there on their own Asynchronous JavaScript and XML (AJAX) AJAX Google Maps FireBug AJAX Defined Asynchronous • Requests are initiated in the background JavaScript • JavaScript instantiates the XmlHttpRequest object and generates the requests And XML • This is a misnomer as AJAX frameworks commonly employ alternate data interchange formats • JSON - Atlas • Serialized Java - Google Web Toolkit • HTML • XML AJAX Implementations Multiple frameworks • Prototype (http://www.prototypejs.org/) • Script.aculo.us • Dojo (http://dojotoolkit.org/) • ASP.Net AJAX (http://ajax.asp.net/) • Etc. Multiple browser objects • Internet Explorer • IE6 - XMLHTTP ActiveX control • IE7 – XMLHTTP native script object • Firefox • XMLHttpRequest object AJAX Challenges What doesn’t AJAX change? • AJAX does not create new vulnerabilities What does AJAX change? • Business logic is dispersed among multiple client side files/functions • Requests are made in the background without user intervention but are just as susceptible to attack How does AJAX affect security? • Increased surface area • More business logic is exposed • New input vectors are exposed • Security tools must understand the XHR objects and their syntax in order to identify input vectors Overview What is Web 2.0? • Definitions Web 2.0 Technologies • RSS • AJAX • Web Services How Web 2.0 Changes the Threat Landscape • Attack Vectors • Secure Coding Practices Conclusion Input Vectors Web 1.0 Web 2.0 Attack Vectors Input vectors • Input vectors = attack vectors • When identifying input vectors – think broadly Vulnerabilities • Vast majority of vulnerabilities result when unexpected user supplied input in not properly sanitized • ANYTHING sent from the client to the server is a potential attack vector Input Validation • Validate everything! Overview What is Web 2.0? • Definitions Web 2.0 Technologies • RSS • AJAX • Web Services How Web 2.0 Changes the Threat Landscape • Attack Vectors • Secure Coding Practices Conclusion Thoughts Will Web 2.0 usher in the apocalypse? • No, the sky isn’t falling either • Web 2.0 technologies offer to expand the web with intuitive, content rich applications, but as with any new technology, they bring new security challenges What is the greatest security challenge posed by Web 2.0? • It isn’t new classes of web application vulnerabilities. For the most part, the type of vulnerabilities have remained unchanged while attackers now have new ways to exploit them. • The greatest security challenge is the same as it is with any new technology. Adopt Web 2.0 technologies to solve a business need, not because it looks cool. When we rush to adopt a new technology for the wrong reasons, we typically leave security behind. Solutions – HP ASC Security Throughout the SDLC Enterprise Application Security Assurance Plan Requirements Design Build Test Production Source Code Validation QA/Integration Testing Production Assessment DevInspect QAInspect WebInspect Enterprise Security Assurance & Reporting Assessment Management Platform (AMP) Questions Billy Hoffman, Lead Security Researcher, HP bhoffman@hp.com