Séminaire Web Services
3 likes1,273 views
The document discusses web services, their definitions, architecture, and the crucial role of security. It highlights various protocols, such as SOAP, SAML, and WSDL, and outlines potential security risks and types of attacks, including XML injection and denial of service. Additionally, it emphasizes the importance of message integrity, confidentiality, and standards like WS-Security to protect web services from malicious threats.
![ATTAQUE XML : ENTITY EXPANSION
<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >
]>
<foo>&m;</foo>](https://image.slidesharecdn.com/1-sminaireoct2011webservices-111207073840-phpapp02/85/Seminaire-Web-Services-36-320.jpg)
![INJETION Xpath
• Authentification basée sur l’expression:
//user[name='$login' and pass='$pass']/account/text()
• Injection
$login = whatever' or '1'='1' or 'a'='b
$pass = whatever
• Exploitation de la précédence de l’opérateur AND
• L’expression devient
//user[name='whatever' or '1'='1' or 'a'='b' and pass=‘whatever']/account/text()
= TRUE
TRUE OR FALSE](https://image.slidesharecdn.com/1-sminaireoct2011webservices-111207073840-phpapp02/85/Seminaire-Web-Services-41-320.jpg)
Séminaire Web Services
- 1. LES WEB SERVICES ET LEUR SECURITÉ
- 2. SÉMINAIRE SECURITÉ LES WEB SERVICES ET LEUR SECURITÉ
- 3. QUE SONT LES WEB SERVICES ?
- 6. DÉFINITION - WEB SERVICES • •
- 7. DÉFINITION - WEB SERVICES • • • •
- 9. WEB SERVICES Web Services Registry Web Service Web Services Provider Client
- 10. WEB SERVICES
- 11. WEB SERVICES
- 12. COMPOSANTS •Extensible Markup Language XML •A uniform data representation and exchange mechanism. •Universal Description, Discovery, and Integration UDDI •A mechanism to register and locate WS based application. •Web Services Description Language WSDL •A standard meta language to described the services offered. SOAP •Simple Object Access Protocol •A standard way for communication. SAML •XML-based open standard for exchanging authentication and authorization data between security domains
- 13. XML
- 14. XML VS HTML <html> <body> <h2>John Doe</h2 <p>2 Backroads Lane<br> New York<br> 045935435<br> john.doe@gmail.com<br> </p> </body> </html>
- 15. XML VS HTML <?xml version=1.0?> <contact> <name>John Doe</name> <address>2 Backroads Lane</address> <country>New York</country> <phone>045935435</phone> <email>john.doe@gmail.com</email> </contact>
- 16. WSDL
- 17. WEB SERVICE DESCRIPTION LANGUAGE • • •
- 18. WEB SERVICE DESCRIPTION LANGUAGE <message name="GetStockPriceRequest"> <part name="stock" type="xs:string"/> </message> <message name="GetStockPriceResponse"> <part name="value" type="xs:string"/> </message> <portType name=“StocksRates"> <operation name=“GetStockPrice"> <input message=“GetStockPriceRequest"/> <output message=“GetStockPriceResponse"/> </operation> </portType>
- 19. SOAP
- 20. SIMPLE OBJECT ACCESS PROTOCOL • • • •
- 21. SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformation> <AirportIdentifier>N99</AirportIdentifier> </GetAirportInformation> </soap:Body> </soap:Envelope>
- 22. SIMPLE OBJECT ACCESS PROTOCOL <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetAirportInformationResponse> <GetAirportInformationResult> <Name>Brandywine Airport</Name> <Location>West Chester, PA</Location> <Length unit="feet">3347</Length> </GetAirportInformationResult> </GetAirportInformationResponse> </soap:Body> </soap:Envelope>
- 23. SAML
- 24. SECURITY ASSERTION MARKUP LANGUAGE (SAML)
- 25. SAML
- 26. COMMENT SÉCURISER LES WEB SERVICES ?
- 27. POURQUOI SÉCURISER CES FLUX ?
- 28. LES RISQUES
- 29. ATTEINTE À LA RÉPUTATION • • • • •
- 30. FUITE D’INFORMATION • • • • • •
- 31. DENI DE SERVICE • • •
- 32. NON RESPECT DES SLAs • • • • • •
- 33. FAIL !!!
- 35. LES TYPES D’ATTAQUE XML-Based • Utilise les faiblesses du langage XML (ex: entity expansion) Bugs in back- • Beaucoup de technologies utilisées impliquent un risque de bug élevé. end systems Code • Les attaques XML injection sont simples à entreprendre. Ce sont les attaques les plus répandues. Injection Denial of • Flux important de messages, envoi de centaines d’éléments encryptés peuvent mettre à mal un système complet et Service affecter les SLAs. Man in the • Les messages peuvent être interceptés. Ceci pose des soucis de routage des messages et également d’intégrité. Middle
- 36. ATTAQUE XML : ENTITY EXPANSION <!DOCTYPE foo [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > <!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > <!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > <!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > <!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > <!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > <!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > <!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > <!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]> <foo>&m;</foo>
- 37. ATTAQUE XML : XML ATTRIBUTE BLOWUP <?xml version="1.0"?> <foo a1="" a2="" ... a10000="" />
- 38. DENI DE SERVICE Directement sur le Service SOAP <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:Login> <tem:loginID> John Doe<a1>….</a1> </tem:loginID> <tem:password> muahahah </tem:password> </tem:Login> </soapenv:Body> </soapenv:Envelope> Via le Portail HTML Frontal Web WS de gestion des comptes Login: John Doe <a1>…</a1> Password: ********
- 39. ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> <user> <uname>janedoe</uname> <pwd>an0n</pwd> <uid>500<uid/> <mail>janedoe@example2.com</mail> </user> </users> Username: alice Password: iluvbob E-mail: alice@example3.com</mail></user><user><uname>Hacker</uname> <pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail>
- 40. ATTAQUE XML : XML INJETION <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>joepublic</uname> <pwd>r3g</pwd> <uid>10<uid/> <mail>joepublic@example1.com</mail> </user> …… <user> <uname>Alice</uname> <pwd>iluvbob</pwd> <uid>501<uid/> <mail>alice@example3.com</mail> </user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid> <mail>hacker@example_evil.net</mail> </user> </users>
- 41. INJETION Xpath • Authentification basée sur l’expression: //user[name='$login' and pass='$pass']/account/text() • Injection $login = whatever' or '1'='1' or 'a'='b $pass = whatever • Exploitation de la précédence de l’opérateur AND • L’expression devient //user[name='whatever' or '1'='1' or 'a'='b' and pass=‘whatever']/account/text() = TRUE TRUE OR FALSE
- 42. WEB SERVICES COMMENT SÉCURISER CES FLUX ?
- 43. LES QUESTIONS À SE POSER • • • • • •
- 44. COMMENT SE PROTÉGER ? Message integrity (signature) • Ensure message integrity. Support for XML Signature. Message confidentiality (encryption) • Ensure end-to-end data privacy. Support for both SSL and XML. Encryption are essential. Authentication (SAML) • Verifying the identity of the requestor. Access Control (SAML) • Ensuring that the requestor has appropriate access to the resource. Schema Validation (WSDL) • Ensuring intergrity of the structure and content of the message. Security Standards (WS-Security) • Supporting standards based security functions such as WS-Security. Malicious attack protection (Black List) • Supporting protection against the lastest Web Services and XML-Based attacks.
- 45. WS-SECURITY WS-Trust WS-Federation LibertyAlliance Trust relationships XKMS SAML WS-Policy SOAP WS-Security WS-Reliability Access XACML SAML XML Encryption Implémentations les plus XML courantes XML Signature HTTP HTTP Auth Sécurité habituelle des applications Web TCP SSL / TLS IP IPSec
- 46. WS-SECURITY <?xml version="1.0" encoding="UTF-8" ?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <soap:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> ... </ds:Signature> </wsse:Security> </soap:Header> <soap:Body id="MsgBody"> ... </soap:Body> </soap:Envelope>
- 47. WEB SERVICES UNE SOLUTION : LE PAREFEU APPLICATIF
- 48. FIREWALL APPLICATIF VS FIREWALL XML PARE-FEU APPLICATIF Détection PARE-FEU XML d’attaques Détection propres aux d’attaques Détection applications communes : d’attaques propres aux SQL injection, services web XSS, etc. (WSDL, …)
- 51. WEB APPLICATION FIREWALL Legitimate Traffic Malicious Application Activity Internet Application Floods Network Attacks & Floods Not allowed Services
- 56. BEE-WARE V5 • • • •
- 57. MANAGEMENT CENTRALISÉ • • • • ʼ • •
- 58. TRAITEMENT DES FLUX PAR WORKFLOW • • • •
- 59. FIREWALL APPLICATIF • • •
- 60. FIREWALL APPLICATIF (SUITE) • • • •
- 61. PRINCIPE DU REVERSE PROXY DANS i-Suite
- 62. LA TECHNOLOGIE MISE À PART
- 63. i-Suite XML FIREWALL MODULE
- 64. i-Suite XML FIREWALL MODULE
- 65. XML FIREWALL MODULE SPÉCIFICATIONS
- 68. LE MARCHÉ – ACTEURS PRINCIPAUX ET CHALLENGERS
- 69. DÉMO DE MANIPULATION D’UN FLUX XML
- 70. DÉMO DE MANIPULATION D’UN FLUX XML
- 72. SOAP MESSAGE SIGNATURE + HEADER INSERTION
- 75. SOAP MESSAGE SIGNATURE VALIDATION
- 76. VALIDATION DU SHÉMA WSDL <?xml version="1.0" encoding="utf-8"?> <nomComplet>Prenom Nom</nomComplet> <?xml version="1.0" encoding="ISO-8859-1"?> <nomComplet>Prenom <b> Nom </b></nomComplet>
- 77. DLP MISSION IMPOSSIBLE ?
- 79. CONTEXTE • •
- 80. L’INFRASTRUCTURE
- 81. CINÉMATIQUE
- 82. REQUÊTES • • •
- 83. DÉMO SÉCURITÉ DES WEBSERVICES
- 84. CONCLUSION • • •
- 85. QUESTIONS ?
Editor's Notes
- #6: Avantages SOA :
- #10: L’architecture des Web Services est basée sur l’intéraction de trois rôles:Service providerService registryService requestorCes rôles produisent les actions suivantes :Publish operationsFind operationBind operations.
- #13: UDDI: Si l’@ du service change pas de souci si on s’appuie sur un annuaire (analogie avec le resto)