This attack targets the WSDL interface made available by a web service.
The attacker may scan the WSDL interface to reveal sensitive information
about invocation patterns, underlying technology implementations and
associated vulnerabilities. This type of probing is carried out to perform
more serious attacks (e.g. parameter tampering, malicious content injection,
command injection, etc.). WSDL files provide detailed information about the
services ports and bindings available to consumers. For instance, the
attacker can submit special characters or malicious content to the Web
service and can cause a denial of service condition or illegal access to
database records. In addition, the attacker may try to guess other private
methods by using the information provided in the WSDL files.
Attack Execution Flow
The first step is exploratory meaning the attacker
scans for WSDL documents. The WDSL document written
in XML is like a handbook on how to communicate with
the web services provided by the target host. It
provides an open view of the application (function
details, purpose, functional break down, entry
points, message types, etc.). This is very useful
information for the attacker.
The second step that a attacker would undertake is
to analyse the WSDL files and try to find potential
weaknesses by sending messages matching the pattern
described in the WSDL file. The attacker could run
through all of the operations with different message
request patterns until a breach is
identified.
Once an attacker finds a potential weakness, they
can craft malicious content to be sent to the
system. For instance the attacker may try to submit
special characters and observe how the system reacts
to an invalid request. The message sent by the
attacker may not be XML validated and cause
unexpected behavior.
Attack Prerequisites
A client program connecting to a web service can read the WSDL to
determine what functions are available on the server.
The target host exposes vulnerable functions within its WSDL
interface.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Analysis
API Abuse
Examples-Instances
Description
A WSDL interface may expose a function vulnerable to SQL
Injection.
Description
The Web Services Description Language (WSDL) allows a web service to
advertise its capabilities by describing operations and parameters
needed to access the service. As discussed in step 5 of this series,
WSDL is often generated automatically, using utilities such as
Java2WSDL, which takes a class or interface and builds a WSDL file in
which interface methods are exposed as web services.
Because WSDL generation often is automated, enterprising hackers can
use WSDL to gain insight into the both public and private services. For
example, an organization converting legacy application functionality to
a web services framework may inadvertently pass interfaces not intended
for public consumption to a WSDL generation tool. The result will be
SOAP interfaces that give access to private methods.
Another, more subtle WSDL attack occurs when an enterprising attacker
uses naming conventions to guess the names of unpublished methods that
may be available on the server. For example, a service that offers a
stock quote and trading service may publish query methods such as
requestStockQuote in its WSDL. However, similar unpublished methods may
be available on the server but not listed in the WSDL, such as
executeStockQuote. A persistent hacker with time and a library of words
and phrases can cycle thru common naming conventions (get, set, update,
modify, and so on) to discover unpublished application programming
interfaces that open doors into private data and functionality.
Source : "Seven Steps to XML Mastery, Step 7: Ensure XML Security",
Frank Coyle. See reference section.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
This attack can be as simple as reading WSDL and starting sending
invalid request.
Skill or Knowledge Level: Medium
This attack can be used to perform more sophisticated attacks (SQL
injection, etc.)
Probing Techniques
An attacker can request the WSDL file from the target host by sending a
SOAP message.
There are free Vulnerability testing tool, such as WSDigger to perform
WSDL scanning - Foundstone's free Web services security tool performs WSDL
scanning, SQL injection and XSS attacks on Web Services.
Solutions and Mitigations
It is important to protect WSDL file or provide limited access to
it.
Review the functions exposed by the WSDL interface (specially if you have
used a tool to generate it). Make sure that none of them is vulnerable to
injection.
Ensure the WSDL does not expose functions and APIs that were not intended
to be exposed.
Pay attention to the function naming convention (within the WSDL
interface). Easy to guess function name may be an entry point for
attack.
Validate the received messages against the WSDL Schema. Incomplete
solution.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
