Penetration Testing Tool for Web Services Security

XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous - mostly complex - extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. They range from specific Denial of Service attacks to attacks breaking interfaces of cloud providers [1], [2] or confidentiality of encrypted messages [3]. By implementing common web applications, the developers evaluate the security of their systems by applying different penetration testing tools. However, in comparison to the wellknown attacks as SQL injection or Cross Site Scripting, there exist no penetration testing tools for Web Services specific attacks. This was the motivation for developing the first automated penetration testing tool for Web Services called WS-Attacker. In this paper we give an overview of our design decisions and provide evaluation of four Web Services frameworks and their resistance against WS-Addressing spoofing and SOAPAction spoofing attacks.

[1]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[2]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[3]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[4]  Giovanni Della-Libera,et al.  Web Services Security Policy Language (WS-SecurityPolicy) , 2002 .

[5]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[6]  Mark O'Neill,et al.  Web Services Security , 2003 .

[7]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[8]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[9]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[10]  Donald F. Ferguson,et al.  Web Services Addressing (WS- Addressing) , 2004 .

[11]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[12]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[13]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[14]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[15]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[16]  Eben Hewitt Java Soa Cookbook , 2009 .

[17]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[18]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[19]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[20]  Jörg Schwenk,et al.  Technical Analysis of Countermeasures against Attack on XML Encryption -- or -- Just Another Motivation for Authenticated Encryption , 2012, 2012 IEEE Eighth World Congress on Services.

[21]  C. M. Sperberg-McQueen,et al.  W3C XML Schema Definition Language (XSD) 1.1 Part 1: Structures , 2012 .