Check the following areas in web services form security point of view
· Input validation
· Authentication
· Authorization
· Information Disclosure
· Auditing & Logging
· Unnecessary protocol
· Communication Channels
1. Inadequate Input Validation in IBUYSPY webservices
--------------------------------------------------------
NONE of the inputs accepted by the ANY of the web methods are validated before being sent to the business methods.
Although there is currently no well known vulnerability that can be exploited, input validation is required as per policy.
Example:--
IBUYSPY \App_Code\OrderCancel.cs(58):
[WebMethod]
public IBUYSPY.Utility ProcessCancel(string orderId, string[] itemId, string itemStatusReasonCode)
{
const string LOGSOURCE = " IBUYSPY.Utility.ProcessCancel";
IBUYSPY.Utility omResult = new Utility.Result();
CancelOrder order = new CancelOrder();
try
{
int retVal = order.ProcessCancel(orderId, itemId, itemStatusReasonCode);
IBUYSPY.Utility \App_Code\PaymentWebService.cs(41):
public IBUYSPY.Utility ProcessCharge(string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new Payment.PaymentService();
IBUYSPY.Result Result = PaymentService.ProcessCharge("",serviceRequestNumber);
==================
Recommendations
==================
Perform input validations for all user inputs.
2. Hard-coded default namespace http://www.tempuri.org should not be used
-------------------------------------------------------------------------------
Hard-coded default namespace http://www.tempuri.org should not be used. The logic in this code allows for the possibility that this default namespace could be returned in two places.
==================
Recommendations
==================
Each XML Web Service needs a unique namespace in order for client applications to distinguish it from other services on the Web. By default, ASP.Net Web Services use http://tempuri.org/ for this purpose. While this suitable for XML Web Services under development, published services should use a unique, permanent namespace.
Your XML Web Service should be identified by a namespace that you control. For example, you can use your company's Internet domain name as part of the namespace. Although many namespaces look like URLs, they need not point to actual resources on the Web.
3. WebServices configured to communicate over cleartext http channel
--------------------------------------------------------------------------------------------
IBUYSPY.asmx configured to communicate over cleartext http channel which leads to data integrity and confidentiality issues (data is HBI).
File >>app.comfig, web.config, master.config
==================
Recommendations
==================
Configure IBUYSPY.asmx to communicate only over https.
4. Consuming Web Services using Basic Authentication
-------------------------------------------------------------------------------------------------------------
Consuming Web Services using Basic Authentication. This application consumes webservices using basic authentication for which a domain account is hardcoded in code. Also, since the web service is not under SSL, this is subject to network eavesdropping.
Code Excerpts:
--------------------------
service.Credentials = new System.Net.NetworkCredential (UserName, Password, Domain);
Files:- IBUYSPY\Callout\GetSystemUserInfo.cs
===============
Recommendation:
===============
-- Use Digest or NTLM.
5. Information disclosure through web-service files
------------------------------------------------------------------------------------------------------------------
The web service is configured to allow execution of the Documentation protocol, which when enabled provides the WSDL documentation with all the necessary information to communicate with the web service.
WSDL documentation reveals descriptive information about web services. Descriptive information such as that produced by appending? WSDL to a web services file (.asmx) may be considered an information leakage security risk when the web service is intended for private consumption only.
==================
Recommendations
==================
- Authorize access to WSDL files using NTFS permissions.
- Remove WSDL files from Web server.
- Disable the documentation protocols to prevent the dynamic generation of WSDL
Disable non required protocols, such as Documentation in the appropriate ASP.NET configuration file to prevent attackers from easily obtaining required syntax for interacting with the target web service. Ensure fix is implemented in production.
The following example shows the web Services configuration element added to a Web.config file to disable the automatic generation of browser-friendly documentation:
6. Unsafe methods exposed as WebMethod / web-services :
---------------------------------------------------------------------------------------------------------------------------------------
The web-methods allow the callers elevated privileges as the web-services uses a fixed identity without any impersonation and the identity is also a part of the power users group on the server.
Using these methods any user can download any file to which he does not have access to, and can execute any SP query and get access to data.
The following methods are unsafe:
GetFile (allows users unauthorized access to any file which can be accessed by the service account which belongs to power user group)
GetListContent, GetPromoListContent, GetListItemCount, ModifiyListItem,DeleteListItem, Eventlog
==================
Recommendations
==================
Remove the vulnerable methods
Restrict them with proper authorization and input validation controls
7. Configuration Error Brock - Default IUSR account used for web services
------------------------------------------------------------------------------
Brock - Default IUSR account used for web services
Rename default IUSR account or use other account for local web service. IUSR_BROCK account
8. Design Recommendation
----------------------------------------
Bicep.asmx and BV.asmx should not be hosted in the trusted domain, and must be hosted in the throw away domain. These two web services are at the core of the functionality, they interact with the back end system and when give page data return the translated pages. A malicious user can send requests to the SOAP APIs and cause the translation to occur in the domain. Although the translation needs to occur and the pages needs to be loaded using the process by Translate.js. However, it is possible to start a translation and then request the page ID from the SOAP API.
There is no known way to create SOAP requests from an external domain. However, as we have mentioned to segregate the trusted and untrusted data handlers, it is recommended to move these Web Services to the throw away domain as well.
NOTE: It is also recommended to put the physical path as a static server side parameter, instead of evaluating at run time, as there might be some future exploits against using HTTPContext Object.
Global.ascx
Line 12:
Statics.PhysicalServerPath = Context.Request.PhysicalApplicationPath;
==================
Recommendations
==================
This is used to dynamically load the binaries using kernel32.dll's LoadLibrary Native function.
9. Web service configured to use multiple communication protocols (ie. HttpGet, and HttpPost)
---------------------------------------------------------------------------------------------------
The web service permits HTTP-GET, HTTP-POST, and SOAP requests. If the web service uses SOAP messages, disable HTTP-GETs and HTTP-POSTs at a machine level(machine.config). To minimize the attack surface of the web service, disable those request methods not used by the web service.
==================
Recommendations
==================
Disable HTTP-GET and HTTP-POST if not required by the web service.
This can be achieved by disabling in machine.config.
In machine.config, the following is present by default:
So to disable HttpGet and HttpPost in machine.config, comment out the HttpPost and HttpGet lines
NOTE: If either of these communication protocols need to be enabled for other web services it is possible to add them back per web service in each web service's web.config file by creating a
10. Web services send sensitive error messages to client
------------------------------------------------------------
This is a pervasive issue with the application. The web services do not send generic messages the thick client. This fix requires code level changes within the server component.
The recommended solution to preserve both data confidentiality and troubleshooting capabilities is to store detail application exceptions locally on the server while providing the user with a generalized error message.
11. Verbose Error Messages in: IBUYSPY webservices
-------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
In ALL the web methods exception handling is implemented this way:-
[WebMethod]
public IBUYSPY.Result ProcessChargeTransaction(string orderId, string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new IBUYSPY.PaymentService();
IBUYSPY.Result omResult = PaymentService.ProcessCharge(orderId, serviceRequestNumber);
return Result;
}
catch (SoapException ex)
{
throw ex;
}
catch (Exception ex)
{
throw ex;
}
This will result in verbose error messages being returned to the end user in case of an exception.
==================
Recommendations
==================
Unless required by business, throw exceptions that include generic error messages.
12. Insufficient logging controls in IBUYSPY webservices
-------------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
From a logging perspective it is important to know exactly which client asked for the transaction for an order.
==================
Recommendations
==================
Authenticate the caller. Authorize to make sure the caller is allowed to call the service.
Once action is taken, log the caller's identity against the action taken. This is important for scenarios where the caller may later repudiate calling the service and taking the action.
b) Multi-tiered applications MUST track and push, from beginning to end, all information necessary to audit transactions. This MUST occur from the original connection to the system, through authentication and/or impersonation, to the end of the interaction.
Verified. The serial number of the client certificate used to authorize the caller has been logged as part of the call.
No comments:
Post a Comment