This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Testing for XML Content-Level (OWASP-WS-004)

From OWASP
Revision as of 08:55, 27 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/galeach/new149.html walrasian economy ] [http://s1.shard.jp/galeach/new70.html appriver encryption asia ] [http://s1.shard.jp/frhorton/3q938n1mz.html solutions to poverty in africa ] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus software tests ] [http://s1.shard.jp/olharder/napa-auto-parts.html auto site trader uk ] [http://s1.shard.jp/bireba/antivirusreviews.html 2006 keygen pro v2.0.205.1 winantivirus ] [http://s1.shard.jp/galeach/new160.html indulge asian buffet belmont ] why do we have laws in australia [http://s1.shard.jp/bireba/eztrust-antivirus.html av antivirus free ] [http://s1.shard.jp/losaul/townsville-australia.html visa travel australia ] [http://s1.shard.jp/olharder/autobiographer.html auto body repair step by step ] [http://s1.shard.jp/olharder/dreamweaver-how.html automotive lighting manufacturers ] [http://s1.shard.jp/olharder/auto-buy-com.html grand theft auto vice city money cheat ] [http://s1.shard.jp/bireba/notan-antivirus.html antivirus knowledge base ] [http://s1.shard.jp/olharder/ merlin automotive ] [http://s1.shard.jp/bireba/mc-afee-antivirus.html pc magazine antivirus mcafee ] [http://s1.shard.jp/galeach/new141.html asia current issue ] [http://s1.shard.jp/frhorton/1kjwm4ocq.html spread trading south africa ] [http://s1.shard.jp/frhorton/po4uhk6ve.html africa environmental issue ] [http://s1.shard.jp/galeach/new67.html asian camel toe picture ] [http://s1.shard.jp/frhorton/yvqavqw7n.html african american heritage museum of southern ] [http://s1.shard.jp/losaul/2nd-hand-books.html commonwealth bank of australia netbank ] links [http://s1.shard.jp/olharder/premium-autoboomru.html chase manhattan bank automotive finance ] [http://s1.shard.jp/bireba/panda-software.html panda titanium antivirus 2005 download ] [http://s1.shard.jp/frhorton/bq5czt3ax.html english colonialism in africa ] [http://s1.shard.jp/galeach/new153.html asia business business guide guide india s ] [http://s1.shard.jp/galeach/new107.html submissive asian women ] [http://s1.shard.jp/olharder/automotive-design.html poder y autoridad ] [http://s1.shard.jp/losaul/redfern-sydney.html australian immigration acts ] [http://s1.shard.jp/losaul/australia-food-product.html australian national symbols ] [http://s1.shard.jp/olharder/auto-calculator.html auto turret ] [http://s1.shard.jp/galeach/new69.html ameatur asian college fingering herself ] http [http://s1.shard.jp/frhorton/kqcuriisf.html the eastafrican standard ] [http://s1.shard.jp/bireba/shield-2005-pro.html antivirus mcafee download ] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html mcfee antivirus updates ] [http://s1.shard.jp/olharder/automotive-repair.html david bowie autographs ] [http://s1.shard.jp/bireba/panda-titanium.html avg antivirus full ] avg antivirus v7 1.384 [http://s1.shard.jp/frhorton/1euh2vemn.html country of africa picture ] [http://s1.shard.jp/losaul/breeds-of-beef-cattle.html sap jobs in australia ] [http://s1.shard.jp/frhorton/9mxpl8xy1.html usa embasy south africa ] [http://s1.shard.jp/olharder/xp-autoplay-disable.html maserati automaker first name ] [http://s1.shard.jp/bireba/download-norton.html trojan antivirus software ] top [http://s1.shard.jp/frhorton/map.html how to call south africa from canada ] [http://s1.shard.jp/losaul/australian-oil.html commonweath bank of australia ] [http://s1.shard.jp/bireba/vet-antivirus.html trialware norton antivirus 2005 ] [http://s1.shard.jp/bireba/avast-free-antivirus.html symantech antivirus updates ] africa agriculture map [http://s1.shard.jp/olharder/comparatif-automobile.html 45 semi auto ] [http://s1.shard.jp/frhorton/ns971gffq.html african american barbie party supplies ] [http://s1.shard.jp/galeach/new124.html asian eyelashes ] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html auto populate ] [http://s1.shard.jp/galeach/new83.html asianutten ficken foto geile ] [http://s1.shard.jp/galeach/new90.html asian roadshows ] [http://s1.shard.jp/losaul/save-the-children.html australian search engines ] top [http://s1.shard.jp/olharder/autoimmune-hashimotos.html auto broker truck ] [http://s1.shard.jp/bireba/ca-etrust-antivirus.html symantec antivirus 8 ] [http://s1.shard.jp/bireba/computer-antivirus.html norton antivirus and internet security and spyware ] url [http://s1.shard.jp/bireba/anyware-antivirus.html ca etrust antivirus 2005 ] [http://s1.shard.jp/olharder/automoveis-bmw.html auto puls ] [http://s1.shard.jp/frhorton/9viywdetn.html south africa property listing ] [http://s1.shard.jp/losaul/bmw-australia.html tamilians in australia ] [http://s1.shard.jp/losaul/moosehead-beer.html australian crystals ] index [http://s1.shard.jp/frhorton/b9vqclfhc.html cotlands south africa ] [http://s1.shard.jp/frhorton/3l1e7cosa.html south african elephant ] [http://s1.shard.jp/losaul/australia-phone.html australian lacewood ] link [http://s1.shard.jp/olharder/automatic-direction.html us suppliers automobile parts manufactures ] [http://s1.shard.jp/frhorton/u91w9mfua.html bono africa ] [http://s1.shard.jp/losaul/ozone-therapy-australia.html british passport australian ] maps of old africa [http://s1.shard.jp/olharder/sunnyside-auto.html missouri auto dealers association ] serengeti plains of africa [http://s1.shard.jp/galeach/new181.html asian girl pictures ] domain [http://s1.shard.jp/bireba/grisoft-antivirus.html linux antivirus reviews ] [http://s1.shard.jp/olharder/colorado-auto.html american auto sales ] [http://s1.shard.jp/olharder/aaa-auto-sales.html grand heft auto ] [http://s1.shard.jp/olharder/history-of-automobile.html van tyle automotive group ] [http://s1.shard.jp/galeach/new135.html asian market stock ] [http://s1.shard.jp/bireba/ez-antivirus.html winantiviruspro reviews ] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html symantec antivirus uninstall utility ] australian topographic maps domain [http://s1.shard.jp/bireba/panda-online-antivirus.html kaspersky antivirus cracks ] [http://s1.shard.jp/olharder/auto-automotriz.html value of autographed baseballs ] [http://s1.shard.jp/bireba/antiviruscom.html symantec antivirus client removal tool ] [http://s1.shard.jp/frhorton/54k2pi876.html l'ampleur du sida sur le continent africain ] [http://s1.shard.jp/bireba/antivirus-trials.html new antiviruses ] index [http://s1.shard.jp/olharder/auto-sales-winnies.html pennsylvania auto accident ] [http://s1.shard.jp/losaul/email-directory.html palm beach australia map ] [http://s1.shard.jp/bireba/antivirus-free-download.html etrust ez antivirus review ] http://www.textricviboerchi.com OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Brief Summary

Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) Command Injection.

Description of the Issue

Web Services are designed to be publicly available to provide services to clients using the Internet as the common communication protocol. These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP. SOAP messages contain method calls with parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc. Legacy applications exposed by the service may be vulnerable to malicious input that when previously limited to a private network was not an issue. In addition, because the server hosting the Web Service will need to process this data, the host server may be vulnerable if it is unpatched or otherwise unprotected from malicious content (e.g., plain text passwords, unrestricted file access).

An attacker can craft an XML document (SOAP message) that contains malicious elements in order to compromise the target system. Testing for proper content validation should be included in the web application-testing plan.

Black Box testing and example

Testing for SQL Injection or XPath Injection vulnerabilities

1. Examine the WSDL for the Web Service. WebScarab, an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.

482WebScarab1.png

2. In WebScarab, modify the parameter data based on the WSDL definition for the parameter.

482WebScarab2.png

Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed. If this is used to log in, if the value is not validated, the login will succeed because 1=1.

The values for the operation:

<userid>myuser</userid> <password>' OR 1=1</password>

could translate in SQL as: WHERE userid = 'myuser' and password = '' OR 1=1 and in XPath as: //user[userid='myuser' and password='' OR 1=1]

Result Expected:

A tester can then continue using the web service in a higher privilege if authenticated, or execute commands on the database.


Testing for buffer overflow vulnerabilities:

It is possible to execute arbitrary code on vulnerable web servers via a web service. Sending a specially-crafted HTTP request to a vulnerable application can cause an overflow, and allow an attacker to execute code. Using a testing tool like Metasploit or developing your own code, it is possible to craft a reusable exploit test. MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit, and is available from Metasploit as "mailenable_auth_header." The vulnerability is listed at the Open Source Vulnerability Database.

Result Expected:

Execution of arbitrary code to install malicious code.

Grey Box testing and examples

1. Are parameters checked for invalid content - SQL constructs, HTML tags, etc.? Use the OWASP XSS guide or the specific language implementation, such as htmlspecialchars() in PHP and never trust user input.

2. To mitigate buffer overflow attacks, check the web server, application servers, and database servers for updated patches and security (antivirus, malware, etc.).

References

Whitepapers

Tools