This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Naughty SOAP Attachments (OWASP-WS-006)"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
 
== Brief Summary ==
 
== Brief Summary ==
 
   
 
   
 +
Binary files, including executables and document types that can contain malware, can be posted using a web service in several ways.  These files can be sent as a parameter of a web service method; they can be sent as an attachment using SOAP with Attachments and they can be sent using DIME (Direct Internet Message Encapsulation) and WS-Attachments.
  
An attacker can craft an XML document to send to a web service that contains malware as attachments.  Testing to ensure the Web Service host inspects SOAP attachments should be included in the web application testing plan.  
+
An attacker can craft an XML document (SOAP message) to send to a web service that contains malware as an attachment.  Testing to ensure the Web Service host inspects SOAP attachments should be included in the web application testing plan.  
 
 
 
 
 
 
  
  
 
== Description of the Issue ==
 
== Description of the Issue ==
 
   
 
   
2) general malware (Viruses and Trojans) that can be included as binary attachments that are processed on the host machine,
+
This section describes attack vectors for Web Services that accept attachments.  The danger exists in the processing of the attachment on the server and redistribution of the file to clients.
  
 
    
 
    
 +
== Black Box testing and example ==
 +
 +
'''Testing for Topic X vulnerabilities:'''
  
 +
1. Find WSDL that accepts attachments:
  
 +
For example:
 +
 +
...
 +
 +
 +
<s:element name="UploadFile">
 +
<s:complexType>
 +
<s:sequence>
 +
<s:element minOccurs="0" maxOccurs="1" name="filename" type="s:string" />
 +
<s:element minOccurs="0" maxOccurs="1" name="type" type="s:string" />
 +
<s:element minOccurs="0" maxOccurs="1" name="chunk" type="s:base64Binary" />
 +
<s:element minOccurs="1" maxOccurs="1" name="first" type="s:boolean" />
 +
</s:sequence>
 +
</s:complexType>
 +
</s:element>
 +
<s:element name="UploadFileResponse">
 +
<s:complexType>
 +
<s:sequence>
 +
<s:element minOccurs="1" maxOccurs="1" name="UploadFileResult" type="s:boolean" />
 +
</s:sequence>
 +
</s:complexType>
 +
</s:element>
  
== Black Box testing and example ==
 
 
'''Testing for Topic X vulnerabilities:'''
 
 
...
 
...
'''Result Expected:'''
 
...
 
  
 
 
  
 +
2.  Attach a test virus attachment using a non-destructive virus like EICAR, to a SOAP message and post to the target Web Service.  In this example, the for EICAR is used (it is possible to use the
 +
 +
Soap message with EICAR attachment (as Base64 data):
 +
 +
POST /Service/Service.asmx HTTP/1.1
 +
Host: somehost
 +
Content-Type: text/xml; charset=utf-8
 +
Content-Length: length
 +
SOAPAction: http://somehost/service/UploadFile
 +
 +
<?xml version="1.0" encoding="utf-8"?>
 +
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 +
<soap:Body>
 +
<UploadFile xmlns="http://somehost/service">
 +
<filename>eicar</filename>
 +
<type>pdf</type>
 +
<chunk>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*</chunk>
 +
<first>true</first>
 +
</UploadFile>
 +
</soap:Body>
 +
</soap:Envelope>
 +
 +
'''Result Expected:'''
 +
A soap response with the UploadFileResult parameter set to true (this will vary per service).  The eicar test virus file is allowed to be stored on the host server and can be redistributed as a PDF.
  
  

Revision as of 01:41, 5 November 2006

Brief Summary

Binary files, including executables and document types that can contain malware, can be posted using a web service in several ways. These files can be sent as a parameter of a web service method; they can be sent as an attachment using SOAP with Attachments and they can be sent using DIME (Direct Internet Message Encapsulation) and WS-Attachments.

An attacker can craft an XML document (SOAP message) to send to a web service that contains malware as an attachment. Testing to ensure the Web Service host inspects SOAP attachments should be included in the web application testing plan.


Description of the Issue

This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.


Black Box testing and example

Testing for Topic X vulnerabilities:

1. Find WSDL that accepts attachments:

For example:

...


<s:element name="UploadFile"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="filename" type="s:string" /> <s:element minOccurs="0" maxOccurs="1" name="type" type="s:string" /> <s:element minOccurs="0" maxOccurs="1" name="chunk" type="s:base64Binary" /> <s:element minOccurs="1" maxOccurs="1" name="first" type="s:boolean" /> </s:sequence> </s:complexType> </s:element> <s:element name="UploadFileResponse"> <s:complexType> <s:sequence> <s:element minOccurs="1" maxOccurs="1" name="UploadFileResult" type="s:boolean" /> </s:sequence> </s:complexType> </s:element>

...


2. Attach a test virus attachment using a non-destructive virus like EICAR, to a SOAP message and post to the target Web Service. In this example, the for EICAR is used (it is possible to use the

Soap message with EICAR attachment (as Base64 data):

POST /Service/Service.asmx HTTP/1.1 Host: somehost Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: http://somehost/service/UploadFile

<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <UploadFile xmlns="http://somehost/service"> <filename>eicar</filename> <type>pdf</type> <chunk>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*</chunk> <first>true</first> </UploadFile> </soap:Body> </soap:Envelope>

Result Expected: A soap response with the UploadFileResult parameter set to true (this will vary per service). The eicar test virus file is allowed to be stored on the host server and can be redistributed as a PDF.


Gray Box testing and example

Testing for Topic X vulnerabilities: ... Result Expected: ...



References

Whitepapers ... Tools ...