Testing for XML Content-Level (OWASP-WS-004)
Web Services are designed to be publicly available to provide services to clients using the internet as the common communication protocol. These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP. SOAP messages contain method calls with parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc. Legacy applications exposed by the service may be vulnerable to malicious input that when previously limited to a private network was not an issue. In addition, because the server hosting the Web Service will need to process this data, the host server may be vulnerable if it is unpatched or otherwise unprotected from malicious content (e.g. plain text passwords, unrestricted file access, etc.).
An attacker can craft an XML document(SOAP message) that contains malicious elements in order to compromise the target system. Testing for proper content validation should be included in the web application testing plan.
Description of the Issue
This type of attack targets the system hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) command injection.
Black Box testing and example
Testing for SQL Injection or XPath Injection vulnerabilities
1. Examine the WSDL for the Web Service. WebScarab, an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.
2. In WebScarab, modify the parameter data based on the WSDL definition for the parameter.
Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed. If this is used to login, if the value is not validated, the login will succeed because 1=1.
The values for the operation:
<userid>myuser</userid> <password>' OR 1=1</password>
could translate in SQL as: WHERE userid = 'myuser' and password = OR 1=1 and in XPath as: //user[userid='myuser' and password= OR 1=1]
A tester than can continue using the web service in a higher privilege if authenticated or execute commands on the database.
Testing for buffer overflow vulnerabilities:
It is possible to execute arbitrary code on vulnerable web servers via a web service. Sending a specially crafted HTTP request to a vulnerable application can cause an overflow and allow an attacker to execute code. Using a testing tool like MetaSploits or developing your own code, it is possible to craft a reusable exploit test. MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit and is available as from MetaSploits as "mailenable_auth_header." The vulnerability is listed at the Open Source Vulnerability Database.
Execution of arbitrary code to install malicious code.
Grey Box testing and examples
1. Are parameters checked for invalid content - SQL constructs, HTML tags, etc.? Use the OWASP XSS guide (http://www.owasp.org/index.php/XSS) or the specific language implementation, such as htmlspecialchars() in PHP and never trust user input.
2. To mitigate buffer overflow attacks, check the web server, application servers, database servers for updated patches and security (antivirus, malware, etc.).
NIST.gov Web Services Draft
OWASP's WebScarab Proxy