WSDL Scanning

From VulneraPedia

Jump to: navigation, search

This is an Attack. To view all of them, please see the Attack Category page.


Contents

CAPEC Identificator

95


Description

Summary

This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.

Attack_Execution_Flow

1. The first step is exploratory meaning the attacker scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the attacker.
2. The second step that a attacker would undertake is to analyse the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The attacker could run through all of the operations with different message request patterns until a breach is identified.
3. Once an attacker finds a potential weakness, they can craft malicious content to be sent to the system. For instance the attacker may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the attacker may not be XML validated and cause unexpected behavior.

Attack_Prerequisites

  • A client program connecting to a web service can read the WSDL to determine what functions are available on the server.
  • The target host exposes vulnerable functions within its WSDL interface.

Purposes

  • Reconnaissance


Severity

High

Likelihood of Exploit

High

Methods of Attack

  • Analysis
  • API Abuse

Examples

Description

A WSDL interface may expose a function vulnerable to SQL Injection.

Description

The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.

Because WSDL generation often is automated, enterprising hackers can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.

Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent hacker with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.

Source : "Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle. See reference section.


Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

This attack can be as simple as reading WSDL and starting sending invalid request.

Skill or Knowledge Level: Medium

This attack can be used to perform more sophisticated attacks (SQL injection, etc.)


Probing Techniques

Description

An attacker can request the WSDL file from the target host by sending a SOAP message.

Description

There are free Vulnerability testing tool, such as WSDigger to perform WSDL scanning - Foundstone's free Web services security tool performs WSDL scanning, SQL injection and XSS attacks on Web Services.


Solutions and Mitigations

It is important to protect WSDL file or provide limited access to it.

Review the functions exposed by the WSDL interface (specially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.

Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.

Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.

Validate the received messages against the WSDL Schema. Incomplete solution.


Attack Motivation - Consequences

  • Information Leakage

Related Security Principles

  • Defense in Depth
  • Never Assuming that Your Secrets Are Safe
  • Securing the Weakest Link

CIA Impact

Confidentiality Impact: Medium Integrity Impact: Medium Availability Impact: High

Technical Context

Architectural Paradigms SOA
Frameworks All
Platforms All
Languages All

Related Attack Patterns

ID Name Description
210 Category:Abuse of Functionality

Related Vulnerabilities

CWE-ID Weakness Name Weakness Relasionship Type
538 Category:File and Directory Information Exposure Targeted

References

CWE - Input Validation

"Anatomy of a Web Services Attack", ForumSystems - http://forumsystems.com/papers/Anatomy_of_Attack_wp.pdf

"Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle - http://www.awprofessional.com/articles/article.asp?p=601349&seqNum=5&rl=1

Facts about WSDL ScanningRDF feed
Architectural ParadigmSOA  +
AttackAbuse of Functionality  +
Attack Motivation - ConsequenceInformation Leakage
Attacker Skill or Knowledge RequiredSkill or Knowledge Level: Low

This attack can be as simple as reading WSDL and starting sending invalid request. , and Skill or Knowledge Level: Medium

This attack can be used to perform more sophisticated attacks (SQL injection, etc.)

Availability ImpactHigh  +
CAPEC Identificator95  +
Confidentiality ImpactMedium  +
DescriptionSummary

This attack targets Summary

This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.

Attack_Execution_Flow

1. The first step is exploratory meaning the attacker scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the attacker.
2. The second step that a attacker would undertake is to analyse the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The attacker could run through all of the operations with different message request patterns until a breach is identified.
3. Once an attacker finds a potential weakness, they can craft malicious content to be sent to the system. For instance the attacker may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the attacker may not be XML validated and cause unexpected behavior.

Attack_Prerequisites

  • A client program connecting to a web service can read the WSDL to determine what functions are available on the server.
  • The target host exposes vulnerable functions within its WSDL interface.

Purposes

  • Reconnaissance

Purposes

  • Reconnaissance
ExampleDescription

A WSDL interface may expose a function vulnerable to SQL Injection. , and Description

The Web Services Description

The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.

Because WSDL generation often is automated, enterprising hackers can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.

Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent hacker with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.

Source : "Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle. See reference section. ity", Frank Coyle. See reference section.

FrameworkAll  +
Integrity ImpactMedium  +
Knowledge LevelLow  +, and Medium  +
LanguageAll  +
Likelihood of ExploitHigh  +
Method of AttackAnalysis  +, and API Abuse  +
MitigationIt is important to protect WSDL file or provide limited access to it.

, Review the functions exposed by the WSDL interface (specially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection. , Ensure the WSDL does not expose functions and APIs that were not intended to be exposed. , Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack. , and Validate the received messages against the WSDL Schema. Incomplete solution.

Operating SystemAll  +
Probing TechniqueDescription

An attacker can request the WSDL file from the target host by sending a SOAP message. , and Description

There are free Vulnerability testing tool, such as WSDigger to perform WSDL scanning - Foundstone's free Web services security tool performs WSDL scanning, SQL injection and XSS attacks on Web Services.

ProviderMITRE  +
PurposeReconnaissance  +
ReferenceCWE - Input Validation

, "Anatomy of a Web Services Attack", ForumSystems - http://forumsystems.com/papers/Anatomy_of_Attack_wp.pdf , and "Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle - http://www.awprofessional.com/articles/article.asp?p=601349&seqNum=5&rl=1

Related Security PrincipleDefense in Depth, Never Assuming that Your Secrets Are Safe, and Securing the Weakest Link
ScaleHigh  +, Low  +, and Medium  +
SeverityHigh  +
VulnerabilityFile and Directory Information Exposure  +
Personal tools