This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Naughty SOAP Attachments (OWASP-WS-006)"
(Reverting to last version not containing links to s1.shard.jp) |
Deleted user (talk | contribs) |
||
Line 1: | Line 1: | ||
+ | [http://s1.shard.jp/losaul/australia-getaway.html australia getaway great holiday package] [http://s1.shard.jp/frhorton/7kqup4qnd.html african textiles
] [http://s1.shard.jp/losaul/the-australian.html australia gutenberg project
] [http://s1.shard.jp/frhorton/gmhd9lgd6.html south african
] [http://s1.shard.jp/frhorton/8vpfwob3s.html native african dress
] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html 2006 auto ottawa show
] [http://s1.shard.jp/frhorton/ocdp2flvo.html african american independent film
] [http://s1.shard.jp/losaul/online-clothing.html online clothing store australia] [http://s1.shard.jp/frhorton/5hrrb99yl.html audio vision south africa
] [http://s1.shard.jp/bireba/www-avg-antivirus.html www avg antivirus] [http://s1.shard.jp/galeach/new121.html petite asian gallery
] [http://s1.shard.jp/frhorton/ybfhg5c59.html africa agent germany travel
] [http://s1.shard.jp/losaul/how-to-train.html college of surgeons australia
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/losaul/australian-music.html australian music charts archives] [http://s1.shard.jp/frhorton/vuku1m6uz.html african volcanoe
] [http://s1.shard.jp/frhorton/lth7qsfbq.html african dressing styles
] [http://s1.shard.jp/bireba/antivirus-software.html norton antivirus 2005 serial keys
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new133.html centralasia
] [http://s1.shard.jp/bireba/ravantivirus.html benchmark report between mcafee norton antivirus
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/galeach/new47.html largest desert in asia
] [http://s1.shard.jp/frhorton/74dtisquk.html african male model south
] [http://s1.shard.jp/losaul/australian-sheepskin.html advertising association australia
] [http://s1.shard.jp/bireba/panda-software.html kasperskys antivirus firewall
] [http://s1.shard.jp/bireba/vantivirus.html antivirus update download
] [http://s1.shard.jp/frhorton/u91w9mfua.html kalahari desert africa map
] [http://s1.shard.jp/losaul/map-of-whitsunday.html arnotts biscuits australia
] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/galeach/new66.html ude asia capital
] [http://s1.shard.jp/olharder/vancouver-auto.html autowrap.com
] [http://s1.shard.jp/frhorton/2wh6r9nyq.html production map of south africa
] [http://s1.shard.jp/olharder/history-of-automobile.html auto ballenger
] [http://s1.shard.jp/losaul/auction-houses.html australia ltd pty
] [http://s1.shard.jp/galeach/new27.html asian bowls com lawn
] [http://s1.shard.jp/bireba/alarm-zone-antivirus.html vista antivirus
] [http://s1.shard.jp/galeach/new64.html enamel hypoplasia bell stage
] [http://s1.shard.jp/olharder/300m-auto.html automotive suspension part
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/frhorton/os7hwbkxo.html african american article counseling man online research
] [http://s1.shard.jp/losaul/seasonal-weather.html australia music shops
] [http://s1.shard.jp/frhorton/bzsc3x6qn.html african explorers trade
] [http://s1.shard.jp/galeach/new185.html anastasia beverly hills salon
] [http://s1.shard.jp/galeach/new138.html asian hot pots] [http://s1.shard.jp/galeach/new120.html asia cafe ashburn va
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/bireba/download-norton.html mcafee antivirus free trials
] [http://s1.shard.jp/bireba/panda-free-antivirus.html download free norton antivirus software
] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus.com housecall
] | ||
{{Template:OWASP Testing Guide v3}} | {{Template:OWASP Testing Guide v3}} | ||
Revision as of 02:18, 31 May 2009
australia getaway great holiday package [http://s1.shard.jp/frhorton/7kqup4qnd.html african textiles ] [http://s1.shard.jp/losaul/the-australian.html australia gutenberg project ] [http://s1.shard.jp/frhorton/gmhd9lgd6.html south african ] [http://s1.shard.jp/frhorton/8vpfwob3s.html native african dress ] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html 2006 auto ottawa show ] [http://s1.shard.jp/frhorton/ocdp2flvo.html african american independent film ] online clothing store australia [http://s1.shard.jp/frhorton/5hrrb99yl.html audio vision south africa ] www avg antivirus [http://s1.shard.jp/galeach/new121.html petite asian gallery ] [http://s1.shard.jp/frhorton/ybfhg5c59.html africa agent germany travel ] [http://s1.shard.jp/losaul/how-to-train.html college of surgeons australia ] map australian music charts archives [http://s1.shard.jp/frhorton/vuku1m6uz.html african volcanoe ] [http://s1.shard.jp/frhorton/lth7qsfbq.html african dressing styles ] [http://s1.shard.jp/bireba/antivirus-software.html norton antivirus 2005 serial keys ] url [http://s1.shard.jp/galeach/new133.html centralasia ] [http://s1.shard.jp/bireba/ravantivirus.html benchmark report between mcafee norton antivirus ] sitemap [http://s1.shard.jp/galeach/new47.html largest desert in asia ] [http://s1.shard.jp/frhorton/74dtisquk.html african male model south ] [http://s1.shard.jp/losaul/australian-sheepskin.html advertising association australia ] [http://s1.shard.jp/bireba/panda-software.html kasperskys antivirus firewall ] [http://s1.shard.jp/bireba/vantivirus.html antivirus update download ] [http://s1.shard.jp/frhorton/u91w9mfua.html kalahari desert africa map ] [http://s1.shard.jp/losaul/map-of-whitsunday.html arnotts biscuits australia ] webmap [http://s1.shard.jp/galeach/new66.html ude asia capital ] [http://s1.shard.jp/olharder/vancouver-auto.html autowrap.com ] [http://s1.shard.jp/frhorton/2wh6r9nyq.html production map of south africa ] [http://s1.shard.jp/olharder/history-of-automobile.html auto ballenger ] [http://s1.shard.jp/losaul/auction-houses.html australia ltd pty ] [http://s1.shard.jp/galeach/new27.html asian bowls com lawn ] [http://s1.shard.jp/bireba/alarm-zone-antivirus.html vista antivirus ] [http://s1.shard.jp/galeach/new64.html enamel hypoplasia bell stage ] [http://s1.shard.jp/olharder/300m-auto.html automotive suspension part ] site [http://s1.shard.jp/frhorton/os7hwbkxo.html african american article counseling man online research ] [http://s1.shard.jp/losaul/seasonal-weather.html australia music shops ] [http://s1.shard.jp/frhorton/bzsc3x6qn.html african explorers trade ] [http://s1.shard.jp/galeach/new185.html anastasia beverly hills salon ] asian hot pots [http://s1.shard.jp/galeach/new120.html asia cafe ashburn va ] index [http://s1.shard.jp/bireba/download-norton.html mcafee antivirus free trials ] [http://s1.shard.jp/bireba/panda-free-antivirus.html download free norton antivirus software ] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus.com housecall ] OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.
Description of the Issue
Binary files, including executables and document types that can contain malware, can be posted using a web service in several ways. These files can be sent as a parameter of a web service method; they can be sent as an attachment using SOAP with Attachments, and they can be sent using DIME (Direct Internet Message Encapsulation) and WS-Attachments.
An attacker can craft an XML document (SOAP message) to send to a web service that contains malware as an attachment. Testing to ensure the Web Service host inspects SOAP attachments should be included in the web application testing plan.
Black Box testing and example
Testing for file as parameter vulnerabilities:
1. Find WSDL that accepts attachments:
For example:
... <s:element name="UploadFile"> <s:complexType> <s:sequence> <s:element minOccurs="0" maxOccurs="1" name="filename" type="s:string" /> <s:element minOccurs="0" maxOccurs="1" name="type" type="s:string" /> <s:element minOccurs="0" maxOccurs="1" name="chunk" type="s:base64Binary" /> <s:element minOccurs="1" maxOccurs="1" name="first" type="s:boolean" /> </s:sequence> </s:complexType> </s:element> <s:element name="UploadFileResponse"> <s:complexType> <s:sequence> <s:element minOccurs="1" maxOccurs="1" name="UploadFileResult" type="s:boolean" /> </s:sequence> </s:complexType> </s:element> ...
2. Attach a test virus attachment using a non-destructive virus like EICAR, to a SOAP message and post to the target Web Service. In this example, EICAR is used.
SOAP message with EICAR attachment (as Base64 data):
POST /Service/Service.asmx HTTP/1.1 Host: somehost Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: http://somehost/service/UploadFile <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <UploadFile xmlns="http://somehost/service"> <filename>eicar.pdf</filename> <type>pdf</type> <chunk>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*</chunk> <first>true</first> </UploadFile> </soap:Body> </soap:Envelope>
Result Expected:
A SOAP response with the UploadFileResult parameter set to true (this will vary per service). The EICAR test virus file is allowed to be stored on the host server and can be redistributed as a PDF.
Testing for SOAP with Attachment vulnerabilities
The testing is similar, however, the request would be similar to the following (note the EICAR base64 info):
POST /insuranceClaims HTTP/1.1 Host: www.risky-stuff.com Content-Type: Multipart/Related; boundary=MIME_boundary; type=text/xml; start="<[email protected]>" Content-Length: XXXX SOAPAction: http://schemas.risky-stuff.com/Auto-Claim Content-Description: This is the optional message description. --MIME_boundary Content-Type: text/xml; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-ID: <[email protected]> <?xml version='1.0' ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <claim:insurance_claim_auto id="insurance_claim_document_id" xmlns:claim="http://schemas.risky-stuff.com/Auto-Claim"> <theSignedForm href="cid:[email protected]"/> <theCrashPhoto href="cid:[email protected]"/> <!-- ... more claim details go here... --> </claim:insurance_claim_auto> </SOAP-ENV:Body> </SOAP-ENV:Envelope> --MIME_boundary Content-Type: image/tiff Content-Transfer-Encoding: base64 Content-ID: <[email protected]> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* --MIME_boundary Content-Type: image/jpeg Content-Transfer-Encoding: binary Content-ID: <[email protected]> ...Raw JPEG image.. --MIME_boundary--
Result Expected:
The EICAR test virus file is allowed to be stored on the host server and can be redistributed as a TIFF file.
References
- Xml.com - http://www.xml.com/pub/a/2003/02/26/binaryxml.html
- W3C: "Soap with Attachments" - http://www.w3.org/TR/SOAP-attachments
Tools