OWASP - User contributions [en]

User:Thomas Vissers

2013-06-04T16:20:10Z

Thomas Vissers:

*Master of Applied Engineering in ICT & Electronics (2013 - Artesis University College, Antwerpen, Belgium)
*Cloud Security Research Intern (2013 - Anna University, Chennai, India)
**DDoS Defense system for Web Services in a Cloud Environment
*Project leader of [https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project OWASP WS Amplification DoS Project].

'''Contact:''' Thomas.Vissers@owasp.org

User:Thomas Vissers

2013-06-04T16:18:44Z

Thomas Vissers:

OWASP WS Amplification DoS Project

2013-06-04T16:15:55Z

Thomas Vissers:

=Main=
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a [http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack DNS Amplification or Reflective attack].
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this [http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf paper]
The aim of the project is to investigate web service frameworks and develop tools to test this vulnerability and determine the threat magnitude on a global scale.

Ideas, development and all other contributions are more than welcome. This page will be updated with the current progress and to-do's. Feel free to contact the project leader for any questions.

=Attack scenario=
In the image below, the possible attack scenario is depicted. Very similar to the DNS amplification attack, the attacker commands a botnet to access a third party, here, a webservice. The request to the webservice contains a WS-Addressing header that specifies the victim's address as the ReplyTo or FaultTo address. The webservice replies to this address with a message that is potentially larger in size than the original request, effectively amplifying the attack.
[[File:WSAMP_attack_scenario.png|800]]

=Vulnerability investigation=
To determine the magnitude of this vulnerability, the project works on two paths:
*Development of a tool that can test public webservices and determine their number and amplification factor
*Look into the different webservice frameworks (Axis, CXF, .NET, ...) and find out their WS-Addressing behaviour.

==Tool to determine threat magnitude==
The tool contains 3 parts:

*Webservice crawler (WSA_spoof.py)
**Finds webservices and their corresponding WSDLs
*Webservice client generator (WSA_spoof.py)
**Generates a client from the WSDL and sends an empty request with a WS-Addressing header, with a ReplyTo that points to the Google App
*Public reply logger (GoogleApp_code.py - Google App)
**Public reachable web application that listens to incoming requests and logs them.

In the image below, the last two parts are displayed. Development of these has started as a draft [https://github.com/VSSRS/WS-Amplification here].

[[File:WSAMP_tool.png|800]]

===Main TO-DO list===
*In order to properly research this threat, we need to crawl or find public accessible webservices. The former big UDDI registers have all been shut down.
**Currently, a 'simple' Google search is used to track down public webservices.
*Further develop the tool.
**A draft of the spoofing and Google App is made in Python. Can be found [https://github.com/VSSRS/WS-Amplification here].

==WS-Addressing default behaviours==
In order to get a grasp of the magnitude of this threat, it is also necessary to be aware of the default behaviour and settings in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
====Axis2====
Axis2 enables WS-Addressing by default, as stated [http://axis.apache.org/axis2/java/core/modules/addressing/ here]
====CXF====
CXF supports WS-Addressing, but [http://cxf.apache.org/docs/ws-addressing.html explicit configuration] is required to enable it.
====JAX-WS & Metro====
Metro is based on the JAX-WS API. The [https://metro.java.net/1.4/docs/wsaddressing.html documentation] says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
====.NET Framework====
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear.

===Main TO-DO list===
*More information about .NET/WCF is needed.
*Specifically test a Metro webservice with a random wsa:Action header.

=Project About=
{{:Projects/OWASP_WS_Amplification_DoS_Project}}

[[Category:OWASP Project]]

File:WSAMP tool.png

2013-06-04T15:39:54Z

Thomas Vissers:

File:WSAMP attack scenario.png

2013-06-04T15:37:27Z

Thomas Vissers:

OWASP WS Amplification DoS Project

2013-06-02T14:34:55Z

Thomas Vissers:

OWASP WS Amplification DoS Project

2013-06-02T14:33:05Z

Thomas Vissers:

OWASP WS Amplification DoS Project

2013-06-02T14:30:44Z

Thomas Vissers:

=Main=
Project Leader’s content goes here
==WS-Addressing default behaviour==
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
===Axis2===
Axis2 enables WS-Addressing by default, as stated [http://axis.apache.org/axis2/java/core/modules/addressing/ here]
===CXF===
CXF supports WS-Addressing, but [http://cxf.apache.org/docs/ws-addressing.html explicit configuration] is required to enable it.
===JAX-WS & Metro===
Metro is based on the JAX-WS API. The [https://metro.java.net/1.4/docs/wsaddressing.html documentation] says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
===.NET Framework===
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
=Project About=
{{:Projects/OWASP_WS_Amplification_DoS_Project}}

[[Category:OWASP Project]]

User:Thomas Vissers

2013-05-23T15:14:44Z

Thomas Vissers:

Projects/OWASP WS Amplification DoS Project

2013-05-23T15:09:55Z

Thomas Vissers:

{{Template:Project About
| project_name =OWASP WS Amplification DoS Project
| project_home_page =OWASP WS Amplification DoS Project
| project_description =The project aims to explore the threat of an Amplification DoS attack that utilises webservices.
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a [http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack DNS Amplification or Reflective attack].
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this [http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf paper]
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.

| project_license =Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
| leader_name1 =Thomas Vissers
| leader_email1 =Thomas.Vissers@owasp.org
| leader_username1 = Thomas Vissers
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_ws_amplification_dos_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_WS_Amplification_DoS_Project/Roadmap
}}

Projects/OWASP WS Amplification DoS Project/Roadmap

2013-05-23T15:08:08Z

Thomas Vissers:

'''PHASE 1:'''
*'''A''' - Setting up a tool that can detect this vulnerability
**Finding a way to crawl the net looking for open webservices and test them with the above tool
*'''B''' - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
** .NET, Axis, Axis2, CXF,...

'''PHASE 2:'''
*'''A''' - Analyse the results and determine the global threat magnitude
** Average amplification factor, number of vulnerable open webservices,...
*'''B''' - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
**In the frameworks, external tool?,...

'''PHASE 3:'''
*Bundle all the results and possible countermeasures into a document/article to create awareness

Projects/OWASP WS Amplification DoS Project/Roadmap

2013-05-23T15:07:45Z

Thomas Vissers:

'''PHASE 1:'''
*A - Setting up a tool that can detect this vulnerability
**Finding a way to crawl the net looking for open webservices and test them with the above tool
*B - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
** .NET, Axis, Axis2, CXF,...

'''PHASE 2:'''
*A - Analyse the results and determine the global threat magnitude
** Average amplification factor, number of vulnerable open webservices,...
*B - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
**In the frameworks, external tool?,...

'''PHASE 3:'''
*Bundle all the results and possible countermeasures into a document/article to create awareness

Projects/OWASP WS Amplification DoS Project/Roadmap

2013-05-23T15:07:07Z

Thomas Vissers:

PHASE 1:
*A - Setting up a tool that can detect this vulnerability
**Finding a way to crawl the net looking for open webservices and test them with the above tool
*B - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
** .NET, Axis, Axis2, CXF,...

PHASE 2:
*A - Analyse the results and determine the global threat magnitude
** Average amplification factor, number of vulnerable open webservices,...
*B - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
**In the frameworks, external tool?,...

PHASE 3:
*Bundle all the results and possible countermeasures into a document/article to create awareness

Projects/OWASP WS Amplification DoS Project/Roadmap

2013-05-23T15:06:39Z

Thomas Vissers:

*PHASE 1:
**A - Setting up a tool that can detect this vulnerability
***Finding a way to crawl the net looking for open webservices and test them with the above tool
**B - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
*** .NET, Axis, Axis2, CXF,...

*PHASE 2:
**A - Analyse the results and determine the global threat magnitude
*** Average amplification factor, number of vulnerable open webservices,...
**B - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
***In the frameworks, external tool?,...

*PHASE 3:
**Bundle all the results and possible countermeasures into a document/article to create awareness

Projects/OWASP WS Amplification DoS Project

2013-05-23T15:02:36Z

Thomas Vissers:

{{Template:Project About
| project_name =OWASP WS Amplification DoS Project
| project_home_page =OWASP WS Amplification DoS Project
| project_description =The project aims to explore the threat of an Amplification DoS attack that utilises webservices.
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a [http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack DNS Amplification or Reflective attack].
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this [http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf paper]
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.

| project_license =Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
| leader_name1 =Thomas Vissers
| leader_email1 =Thomas.Vissers@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_ws_amplification_dos_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_WS_Amplification_DoS_Project/Roadmap
}}