Web Admin Blog Real Web Admins. Real World Experience.


Techniques in Attacking and Defending XML/Web Services

This presentation was by Jason Macy and Mamoon Yunus of Crosscheck Networks - Forum Systems.  It wins the award (the one I just made up) for being the most vendor-oriented presentation at the conference.  Not that it wasn't an interesting presentation, but their solution to defend against most of the attacks was "Use an XML Gateway" (guess what Forum Systems sells?) and the attacks were all presented using the CrossCheck SOAPSonar tool.  I realize that being a vendor they probably have more knowledge than most in the field, but being an Open Source conference, you'd think they would have demonstrated using a free/open tool (SOAPUI?) and talked more about non-hardware solutions to fix the issues.  My notes from the session are below:


  1. Introduction to XML/Web Services Threats
  2. Techniques for Defending XML Threats
  3. XML Attack Examples and Classification
  4. Review sample attacks

Introduction to XML Threats

  • Explicit Attacks
    • Forced Disruption
    • Information Theft
    • Vendor Discovery
  • Implicit Vulnerability
    • Perimeter Breach (embeeded virus, malware)
    • Infrastructure Malfunction (parser and data processing failures)

New Attack Vectors

  • Protocol Firewalls are blind to XML
  • Malware and virus delivered via SOAP attachments
  • WSDL exposes schema and message structure
  • Injection attacks exposed via XML parameters
  • Data replay attacks

Security Testing - Base Requirements

  • Security Framework
    • Sign, ENcrypt, Decrypt, SSL
  • Identity Framework
    • Basic auth, SSL auth, WS-Security token auth
  • Parameter Injection
    • Database or file driven
    • Permutations for security, identity, and SOAP/XML
  • Concurrent Client Simultaneous Loading
    • Denial of Service Testing
  • SOAP with Attachments
    • Malware and Virus testing
  • Dynamic XSD Mutation
    • Derive SOAP vulnerability profile from WSDL schema

Application Security Metrics from the Organization on Down to the Vulnerabilities

This presentation was by Chris Wysopal, the CTO of Veracode.  My notes are below:

"To measure is to know." - James Clerk Maxwell

"Measurement motivates." - John Kenneth Galbraith

Metrics do Matter

  1. Metrics quantify the otherwise unquantifiable
  2. Metrics can show trends and trends matter more than measurements do
  3. Metrics can show if we are doing a good job or bad job
  4. Metrics can show if you have no idea where you are
  5. Metrics establish where "You are here" really is
  6. Metrics build bridges to managers
  7. Metrics allow cross sectional comparisons
  8. Metrics set targets
  9. Metrics benchmark yourself against the opposition
  10. Metrics create curiosity

Metrics Don't Matter (Mike Rothman)

  • It is too easy to count things for no purpose other than to count them
  • You cannot measure security so stop
  • This following is all that matters and you can't map security metrics to them:
    • Maintenance of availability
    • Preservation of wealth
    • Limitation on corporate liability
    • Compliance
    • Shepherding the corporate brand
  • Cost of measurement not worth the benefit

Bad metrics are worse than no metrics

Security Metrics Can Drive Executive Decision Making

  • How secure am I?
  • Am I better off than this time last year?
  • Am I spending the right about of money?
  • How do I compare to my peers?
  • What risk transfer options to I have?

Goals of Application Security Metrics

  • Provide quantifiable information to support enterprise risk management and risk-based decision making
  • Articulate progress towards goals and objectives
  • Provides a repeatable, quantifiable way to assess, compare, and track improvements in assurance
  • Focus activities on risk mitigation in order of priority and exploitability
  • Facilitate adoption and improvement of secure software design and development processes
  • Provide and objective means of comparing and benchmarking projects, divisions, organizations, and vendor products

Anatomy of an Attack: From Incident to Expedient Resolution

For the first session of the morning on the last day of the TRISC 2009 Conference, I decided to attend the "Anatomy of an Attack: From Incident to Expedient Resolution" talk by Chris Smithee, a Systems Engineer at Lancope.  He talked about the different types of attacks that you see on your network and how using FLOW data can be used to monitor and eliminate some of these types of threats.  My notes from the session are below:


w3af: A framework to own the Web – OWASP AppSec NYC 2008

This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader.  w3af is an Open Source project (GPLv2).  A script that evolved into a serious project.  A vulnerability scanner.  An exploitation tool.  Found that the commercial tools were too pricey so developed a tool to make his job easier.

Finds almost all web application vulnerabilities.  Cross platform (written in python).  Uses tactical exploitation techniques to discover new URLs and vulnerabilities.  GTK and Console user interface.  Web service support.  Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more.  WML Support (WAP).  Really easy to extend.  Synergy among plugins.  Ability to find vulerabilities in query string, post data, URL filename, headers, file content (when uploading with forms) and web services.  130 plugins and growing.  Manual analysis web applications.

w3af is divided into two main parts, the core and the plugins.  The core coordinates the process and provides features that plugins consume.  Plugins share information with each other using a knowledge base.  Design patterns and objects everywhere!  8 different types of plugins exist:

  • Discovery Plugins: Find new URLs and create the corresponding fuzzable requests (webSpider, urlFuzzer, googleSpider, pykto)
  • Discover plugins are run in a loop, the output of one discovery plugin is sent as input to the next plugin.  This process continues until all plugins fail to find a new fuzzable request.
  • Other discovery plugins try to fingerprint remote httpd, allowed HTTP methods, verify if the remote site has an HTTP load balancers.
  • Audit Plugins: They take the output of discovery plugins and find vulnerabilities like [blind] SQL injection, XSS, buffer overflows
  • Grep Plugins: These plugins grep every HTTP request and response to try to find information.  Examples are findComments, passwordProfiling, privateIP, directoryIndexing, getMails, and lang.
  • Attack Plugins: These plugins read the vuln objects from the KB and try to exploit.
  • Output Plugins: They write messages to the console, html or text file.
  • Mangle Plugins: They modify requests and responses based on regexs
  • Evasion Plugins: They modify the requests to try to evade IDS detection
  • Bruteforce Plugins: They try to bruteforce logins

The presenter then demonstrated the w3af utility.  Very clean looking GUI similar to many of the linux GUI's available.  Good use of tabs to separate various outputs.  I haven't used it, but it looks fairly intuitive.  It has the ability to create exploit shells (OS, SQL, etc) just like I've seen with uber-expensive products like CoreImpact.  Ability to use python statements in HTTP requests to iterate through different pages. Some really useful graphing.

  • archiveDotOrg plugin: Searches archive.org for older versions of the site, links that were linked somewhere in the past and now are kept in the dark.  Old and unmaintained sections are prone to vulnerabilities
  • Use of PHP easter eggs to fingerprint the remote PHP version.  Old and almost forgotten technique.  Accurate fingerprinting.  Almost nobody disables the eggs (expose_php=off)
  • Good samaritan module: A faster way to exploit blind SQL injections!  A funny way to exploit blind SQL injections!  "Guiding the blind man"
  • Virtual Daemon: Ever dreamed about using metasploit payloads to exploit web applications?  Now you can do it!  Coded a metasploit plugin that connects to a virtual daemon and sends the payload.  The virtual daemon is run by a w3af attack plugin and receives the payload and creates a tiny ELF/PE executable.
  • w3afAgent: A reverse "VPN" that allows you to continue intruding into the target network.  Send the w3afAgent client to the target host using a transfer handler (wget, tftp, echo).  The cient connects back to w3af where the w3afAgent server runs a SOCKS daemon. (Just like CoreImpact!!!  Freakin' sweet!)  UDP traffic doesn't work, but could.  Raw sockets, and sniffing won't work.
  • Web 2.0 Support.  w3af can analyze pages that make heavy use of JavaScript.  THe manual solution available to achieve this task is the spiderMan plugin.  Local proxy daemon.  Analyzes requests and creates fuzzable requests.  The user needs to navigate the JavaScript sections of the site.  Supports JSON.


  • Some level of javascript support (mozrepl)
  • More stable core
  • Less false positives/negatives
  • More attack plugins
  • Better GTK user interface
  • Better management report generation
  • Long descriptions for vulnerabilities using OWASP attack information from the wiki.

Site: http://w3af.sf.net