Pentesting Web Services

Recently, I have been doing a few presentations with Will Vandevanter (@willis__) talking about Hacking SAP BusinessObjects. As a reference to anyone who hasn’t seen the presentation I thought it would be useful to do a few follow-up blog posts to clarify a few topics in greater detail.

The essence of the presentation was focused on pentesting SAP’s Service Oriented Architecture (SOA). There are two common ways to do SOA (SOAP and REST). The method used by SAP BusinessObjects is SOAP. For anyone that isn’t familiar with SOAP, just think of XML messages on top of HTTP. Below is a simple ruby client that makes a SOAP request to the web service. There are a few things which make this sample very useful to anyone that is performing a penetration test. The first is the request / response are stored in txt files. This is useful to logging and manual review of details. The second, is that the request is made using a local proxy on 8080/tcp (BurpSuite, WebScarab etc.).

By using a proxy the pentester can have fine grained control of the request. Even though BurpSuite doesn’t have built-in web services support, pentesters can still use the proxy to intercept requests since it’s just HTTP. The way this works is to intercept a SOAP request then utilize the intruder to fuzz any perimeters in the the web service. Pentesters also use BurpSuite (or w/e proxy) to perform replay requests and perform PRNG testing (similar to session id testing)

Sample Ruby SOAP client

Let me know what you think. What methods are you using to pentest web services? What tools do you use ? Comments welcome!

Hack the Planet!

-Jabra

Advertisement

Burpsuite::Parser Example Script

For those know don’t already know… Portswigger released XML support for Burpsuite last week! Once I heard about this, I started working on a Perl XML parsing module. After the long weekend I have a version that is ready to be considered alpha quality. I plan to release the beta version on October 15th at during my presentation at OWASP NYC. Here is an example script demonstrating how easy it is to use Burpsuite::Parser:
#!/usr/bin/perl -w
use strict;
use Burpsuite::Parser;
my $bparser = new Burpsuite::Parser;
my $file;
if ( $ARGV[0] ) {
    $file = $ARGV[0];
}
else {
    print "usage: $0 [file.xml]\n";
    exit;
}
my $parser = $bparser->parse_file("$file");
foreach my $h ( $parser->get_all_issues() ) {
    print "Type: " . $h->type . "\n";
    print "Serial: " . $h->serial_number . "\n";
    print "Severity: " . $h->severity . "\n";
    print "Host: " . $h->host . "\n";
    print "Name: " . $h->name . "\n";
    print "Location: " . $h->location . "\n";
    print "Path: " . $h->path . "\n";
    print "Issue Background: " . $h->issue_background . "\n";
    print "Remediation Background: " . $h->remediation_background . "\n";
    print "Issue Detail: " . $h->issue_detail . "\n";
}

DM me on twitter(jabra), if you would like to help test the module.

Regards,
Jabra

September: Patch Tuesday

I’m looking forward to Patch Tuesday tomorrow. Microsoft released the breakdown and here is what they have coming out tomorrow: 5 critical remote code execution advisories! Heh, really! The day after a long weekend… Ouch! This is great for Hackers and bad for sys-admins.

Tuesday is gonna be a fun day!

Regards,
Jabra

Eco-friendly is NOT equal to security

It is a well known statement that, compliance is not equal to security. This is due to the divergence between the goals of security and those of being compliant. Being compliant to many companies means, doing just enough to check a box and not have the auditor fail the organization. On the other side is security. Security is a process. It is the process of protecting the organization from threats both internal and external through many different means. Security is only proven over time. Being “good enough”, is not good enough. In reality, you may be “good enough” to not be the attack of today, but that has nothing to do with the threats of tomorrow. For sure, 0day exploits can happen to any organization, the difference is how well can you handle it. Are there sufficient controls in place to limit your risk? Is a incident response team ready to be deployed if there is an incident? etc…

Okay, moving on…

Now-a-days, many companies are pushing with “Green” efforts and becoming environmentally friendly. This is means doing anything and everything possible to help the environment. For years the common method to do this was: to use the eco-friendly lights, take public transportation to work and recycle. In the corporate world, usually the lights are chosen/replaced by the building maintenance department. As for the handling public transportation, some organizations assist their employees with allowing them to expense monthly passes. The use of large recycling bins, makes things easy for companies as well. However, there must be a process to handle sensitive documents. If employees were to recycle sensitive information, than an attacker would have an easy job stealing the data! Separating documents from actual trash means there is no need for the attacker to get into the dumpster and get all dirty anymore.All that is needed is to grab a bag of recycling and it is likely the bag would contain some sensitive documents. Sensitive data should never make it to the recycling bin in the first place. Documents should be shredded before they are recycled and the employees of the organization should be trained to handle the data properly. Obviously, any training that would occur would be error-prone. Therefore, the best way to handle recycling is to shred the documents before recycling them. That way, eco-friendly is equal to security + the cost of the shredding/recycling service.

-Jabra