Testing for Security Risks in a Web 2.0/SOA World
Billy Hoffman, Lead Security Researcher, HP
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies
• RSS
• Web Services and SOA
• AJAX
How Web 2.0 Changes the Threat Landscape
• Attack Vectors
• Secure Coding Practices
Conclusion
What is Web 2.0?
Tim O’Reilly
• Web 2.0 is the business revolution in the computer
industry caused by the move to the internet as
platform, and an attempt to understand the rules for
success on that new platform.
Wikipedia
• Web 2.0...refers to a perceived second-generation of
Web based communities and hosted services — such as
social networking sites, wikis and folksonomies — that
facilitate collaboration and sharing between users.
Web 2.0 Timeline
My Definition
Web 1.0
• Incomplete pages were shameful
• “Please come back later when we’re ready”
Web 2.0
• Incomplete pages are a feature!
• “Stick around and help us improve the site”
Same Vulnerabilities
Additional Input Vectors
More Complexity
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies
• RSS
• AJAX
• Web Services
How Web 2.0 Changes the Threat Landscape
• Attack Vectors
• Secure Coding Practices
Conclusion
Web Feeds (RSS & Atom)
Web Feed Reader
Web Feed Technologies
“I love standards…there are so many to choose from…”
RSS 2.0
• Really Simple Syndication
RSS 0.91 and 1.0
• Rich Site Summary
RSS 0.9
• RDF Site Summary
Atom
• Atom Syndication Format (RFC 4287)
Web Feed Timeline
Sample RSS Feed – New York
Times
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel>
<title>NYT > Home Page</title>
<link>http://www.nytimes.com/index.html?partner=rssnyt</link>
<description>New York Times > Breaking News, World News &amp; Multimedia</description>
<language>en-us</language>
<copyright>Copyright 2007 The New York Times Company</copyright>
<lastBuildDate>Tue, 1 May 2007 01:05:01 EDT</lastBuildDate>
…
<item>
<title>Torre and Cashman Are Safe, for Now</title>
<link>http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html?ex=1335672000&amp;e
n=d3e1e3550cf1a49c&amp;ei=5088&amp;partner=rssnyt&amp;emc=rss</link>
<description>The Yankees' owner said he supports the team's manager and general manager
but that he is also impatient.</description>
<author>TYLER KEPNER</author>
<guid
isPermaLink="false">http://www.nytimes.com/2007/05/01/sports/baseball/01yankees.html</
guid>
<pubDate>Tue, 01 May 2007 00:35:27 EDT</pubDate>
</item>
Attack Scenarios
Malicious
Operator
• Owner of web feed intentionally injects malicious content into
web feed
• Subscribers would be affected when the content was
downloaded/viewed
• Not a likely attack scenario as the perpetrator could easily be
identified
Compromised
Host
• Attacker compromises trusted host and is able to inject content
into heavily subscribed web feed
• Trusted host has already taken care of generating traffic for the
attacker
Open Content
• Web site allows (un)trusted users to supply content
• Content is published and made available via a web feed
• An attacker could leverage this setup to inject malicious content
into a web feed
• Mailing lists, forums, message boards and other open venues
are often delivered as web feeds
Open Content Attack
Input Validation
Input Validation
• Virtually all vulnerabilities result from improper
input validation
• Attackers supply input for which error handling
routines do not exist
• This can leave a system in an exploitable condition
Remember…
• …trust, but verify
Channel 14 News
Real time ticker
• Initial submission underwent human validation
• Subsequent submissions permitted in real time
Solutions
Server Side
• White listing
• Build regular expressions to define appropriate input
• Black listing
• Restrict HTML to appropriate tags only
• Take extreme care to take all possible encoding schemes into
account
• HTML encode user supplied content
Client Side
• Receive content only from trusted sources
• Ensure that the RSS/Atom reader being used is not susceptible
to feed injection
Web Services and SOA
Web Services Architecture
Service
Provider
Discovery
Agencies
- SOAP
- WSDL
- UDDI
- DISCO
- Etc.
Publish
Interact
Find
`
Service
Requestor
Inputs - WSDL
http://api.google.com/GoogleSearch.wsdl
<message name="doGoogleSearch">
<part name="key" type="xsd:string"/>
<part name="q" type="xsd:string"/>
<part name="start" type="xsd:int"/>
<part name="maxResults" type="xsd:int"/>
<part name="filter" type="xsd:boolean"/>
<part name="restrict" type="xsd:string"/>
<part name="safeSearch" type="xsd:boolean"/>
<part name="lr" type="xsd:string"/>
<part name="ie" type="xsd:string"/>
<part name="oe" type="xsd:string"/>
</message>
...
<service name="GoogleSearchService">
<port name="GoogleSearchPort" binding="typens:GoogleSearchBinding">
<soap:address location="http://api.google.com/search/beta2"/>
</port>
</service>
Web Services Challenges
What don’t web services change?
• Web services do not create new vulnerabilities
What do web services change?
• Web applications may advertise input vectors
• WSDL files
• Web applications may advertise their existence
• UDDI
• DISCO
How do web services affect security?
• New input vectors
• Testing tools must understand web services protocols
• SOAP
Web Services Attacks
Cross Site Request Forgery
• Abuse the trust established between a browser and server to force unwanted user actions
Cross Site Scripting
• Inject client side script into a web page
SQL Injection
• Ability to influence back end SQL Queries
Session Hijacking
• Ability to predict/intercept session credentials
Etc.
• This list could go on forever
Verdict
• Web Services can be exposed to the same vulnerabilities as web applications!
Myths of Web Service Security
Web services involve machine to machine
communication and would/could therefore never be
targeted by an attacker
• SOAP requests can easily be forged manually or using point and
click freeware tools (e.g. Foundstone WSDigger)
• In some ways, web services are a goldmine for an attacker as they
advertise their existence and reveal expected inputs
I can simply strip out this cool functionality and expose
it using a web service without compromising security
• Web application security may be left behind when specific pieces of
business logic are exposed via a web service
Solution
Web services can and should be just as
secure as any other web application but
they won’t get there on their own
 Web services should go through the same
secure coding practices as other
applications
 Do not assume that web services will not be
a target for attackers as they exist “behind
the scenes”. This can make them an even
more attractive target.

Solutions
Testing
• Web services should go through the same secure
coding practices as other applications
• Do not assume that web services will not be a target
for attackers as they exist “behind the scenes”. This
can make them an even more attractive target.
Overall
• Web services can and should be just as secure as any
other web application but they won’t get there on
their own
Asynchronous JavaScript and XML
(AJAX)
AJAX
Google Maps
FireBug
AJAX Defined
Asynchronous
• Requests are initiated in the background
JavaScript
• JavaScript instantiates the XmlHttpRequest object and generates the
requests
And XML
• This is a misnomer as AJAX frameworks commonly employ alternate data
interchange formats
• JSON - Atlas
• Serialized Java - Google Web Toolkit
• HTML
• XML
AJAX Implementations
Multiple frameworks
• Prototype (http://www.prototypejs.org/)
• Script.aculo.us
• Dojo (http://dojotoolkit.org/)
• ASP.Net AJAX (http://ajax.asp.net/)
• Etc.
Multiple browser objects
• Internet Explorer
• IE6 - XMLHTTP ActiveX control
• IE7 – XMLHTTP native script object
• Firefox
• XMLHttpRequest object
AJAX Challenges
What doesn’t AJAX change?
• AJAX does not create new vulnerabilities
What does AJAX change?
• Business logic is dispersed among multiple client side files/functions
• Requests are made in the background without user intervention but are
just as susceptible to attack
How does AJAX affect security?
• Increased surface area
• More business logic is exposed
• New input vectors are exposed
• Security tools must understand the XHR objects and their syntax in order
to identify input vectors
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies
• RSS
• AJAX
• Web Services
How Web 2.0 Changes the Threat Landscape
• Attack Vectors
• Secure Coding Practices
Conclusion
Input Vectors
Web 1.0
Web 2.0
Attack Vectors
Input vectors
• Input vectors = attack vectors
• When identifying input vectors – think broadly
Vulnerabilities
• Vast majority of vulnerabilities result when unexpected user
supplied input in not properly sanitized
• ANYTHING sent from the client to the server is a potential attack
vector
Input Validation
• Validate everything!
Overview
What is Web 2.0?
• Definitions
Web 2.0 Technologies
• RSS
• AJAX
• Web Services
How Web 2.0 Changes the Threat Landscape
• Attack Vectors
• Secure Coding Practices
Conclusion
Thoughts
Will Web 2.0 usher in the apocalypse?
• No, the sky isn’t falling either
• Web 2.0 technologies offer to expand the web with intuitive, content
rich applications, but as with any new technology, they bring new
security challenges
What is the greatest security challenge posed by Web
2.0?
• It isn’t new classes of web application vulnerabilities. For the most
part, the type of vulnerabilities have remained unchanged while
attackers now have new ways to exploit them.
• The greatest security challenge is the same as it is with any new
technology. Adopt Web 2.0 technologies to solve a business need, not
because it looks cool. When we rush to adopt a new technology for the
wrong reasons, we typically leave security behind.
Solutions – HP ASC
Security Throughout the SDLC
Enterprise Application Security Assurance
Plan
Requirements
Design
Build
Test
Production
Source Code
Validation
QA/Integration
Testing
Production
Assessment
DevInspect
QAInspect
WebInspect
Enterprise Security Assurance
& Reporting
Assessment Management Platform (AMP)
Questions
Billy Hoffman, Lead Security Researcher, HP
bhoffman@hp.com