XML Intrusion Prevention - PowerPoint PPT Presentation

1 / 45

About This Presentation

Title:

XML Intrusion Prevention

Description:

XIP - The theory and practice of protecting against XML Content Attacks ... Misapplication of XML Security such as XML Digital Signatures and XML Encryption ... – PowerPoint PPT presentation

Number of Views:92

Avg rating:3.0/5.0

Slides: 46

Provided by: Sarv3

Category:

more less

Transcript and Presenter's Notes

Title: XML Intrusion Prevention

1
XML Intrusion Prevention

Blake DournaeeSenior Security ArchitectSarvega,
Inc. blake_at_sarvega.com
April 2005

2
Agenda

Level Setting
Lingo, Requirements, Categories, Definitions
General Threat Model
Structural Threats
Problem Examples
Typical Countermeasures
Semantic Threats
Problem Examples
Typical Countermeasures
SOAP and the Universal Tunnel
Summary / QA

3
XIP XML Intrusion Prevention

XIP - The theory and practice of protecting
against XML Content Attacks
XML Message Sent to an application to put the
system in a state beneficial to the attacker
Deliberate Attacks (Active Attacker)
Inadvertent Attacks (Software Bug)
XML Web Service Architectural Assumption
Different than Web Application Security
XML/HTTP or SOAP/HTTP
Similar attack types (SQL Injection, Buffer
Overflow)
Different Architecture
App-to-App interaction using XML messages wrapped
in SOAP envelopes

4
The Threats Lingo

Coercive Parsing
Content Tampering
Parameter Tampering
SQL/XQuery Injection
XML Virus
X-Malware
Code Injection
Malicious Morphing

Oversize Payloads
Replay Attacks
External Entity Attacks
Buffer Overflow
XDOS
Recursive Payloads
Routing Detour
WSDL Scanning
Schema Poisoning

5
XML Web Services Architecture
DB
DMZ
Application Infrastructure
Web Service (Partner)
Internet
HTTP
HTTP
SSL/ TLS
Web Server
G/W Router
External Firewall
Content Switch
Internal Firewall
LAN Switches
SSL/ TLS
Application Servers
Web Service Client
SOAP Payloads can carry arbitrary XML and flow
freely over port 80
6
XML Threat Model
Application
XML Payload
HTTP
TCP
7
XIP Device Requirements

XIP Device The firewall or IDS system
responsible for XIP.
Two Requirements
Resiliency An XIP device should never crash or
cause a denial-of-service condition when
processing bad XML data.
Content Scrutiny An XIP device should never pass
on XML content that will blow out a downstream
entity or cause it to perform unauthorized
functions
Theme Protect itself and protect its application
domain

8
XIP Device
DB
DMZ
Application Infrastructure
Web Service (Partner)
Internet
HTTP
HTTP
SSL/ TLS
Web Server
G/W Router
External Firewall
Content Switch
Internal Firewall
LAN Switches
SSL/ TLS
Application Servers
Web Service Client
XIP Device
9
XML Threat Model
Application
XML Payload
Encoding ThreatsStructural ThreatsGrammar
Validation ThreatsSemantic ThreatsExternal
Entity ThreatsXML Security ThreatsAlgorithmic
Threats
HTTP
TCP
10
XML Threat Details

Encoding Threats
Threats related to naïve or broken XML parsers
not designed to handle encodings correctly
Failure to maintain encoding information for an
XML document
Structural Threats
Threats related to the structure of the XML
document, such as oversized payloads and
components
Grammar Validation Threats
Threats related to schema validation or
equivalent
Semantic Threats
Code Injection, SQL injection any threat that
manipulates the representation of the XML
document to change the semantics
External Entity Threats
Manipulation of the XML processor de-reference
external URIs
XML Security Threats
Misapplication of XML Security such as XML
Digital Signatures and XML Encryption
Algorithmic Threats
DoS Attacks that take advantage of the underlying
XML processor implementations (such as a hash
table attack)

11
Structural Threats
... it is important to realize that any lock can
be picked with a big enough hammer. - Sun
System Network Admin manual
12
Structural Threat Huge Document

ltEnvelopegt
ltHeadergt
ltwsseSecuritygt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltSignaturegtlt/Signaturegt
lt/wsseSecuritygt
lt/Headergt
ltBodygt
ltGetStockQuotegt ltTickergtCSCOlt/Tickergt
ltGetStockQuotegt
lt/Bodygt
lt/Envelopegt

13
Structural Threat Weird Structure

ltEnvelopegt
ltHeadergt
ltwsseSecuritygt
ltAttack a11 a21 a31 a41 a51
a61
ltAttackgt
ltAttackgt
ltAttackgt
ltAttackgt....
ltSignaturegtlt/Signaturegt
lt/wsseSecuritygt
lt/Headergt
ltBodygt
ltGetStockQuotegt ltTickergtCSCOlt/Tickergt
ltGetStockQuotegt
lt/Bodygt
lt/Envelopegt

14
Structural Threat Huge Binary Blobs

ltEnvelopegt
ltHeadergt
ltwsseSecuritygt
ltAttackgthbCBDZXJ0aWZpY2F0aW9uIEF1dGhv
xMDMxODU4MzRaMFwxCzAJBgNVBAYT
1cml0eSwgSW5jLjErMCkGA1UECxMi
1dGhvcml0eTCBmzANBgkqhkiG9w0B
sbsZwmdu41QUDaSiCnHJ/ljO7Kwp.
ltSignaturegtlt/Signaturegt
lt/wsseSecuritygt
lt/Headergt
ltBodygt
ltGetStockQuotegt ltTickergtCSCOlt/Tickergt
ltGetStockQuotegt
lt/Bodygt
lt/Envelopegt

15
Structural Threats Why?

Why should a large or oversize payload cause a
problem?
Why havent we seen these types of threats with
regular network traffic?
Answer The attacker is relying on inefficient
XML parsing models
DOM Based Parsing

16
Parsing SOAP Document Example

ltSEnvelope xmlnsS"http//www.w3.org/2001/12/soa
p-envelope"gt
ltSBody Id"MsgBody"gtltfnOrder
xmlnsfn"http//www.foo.com/fakens"gt
ltItemgtPool Tablelt/Itemgt
ltQuantitygt1lt/Quantitygt
ltAccountNumbergt123456789lt/AccountNumbergt
ltPricegt800.00lt/Pricegt
lt/fnOrdergt
lt/SBodygt
lt/SEnvelopegt

17
DOM Example
Document
ltEnvelopegt
ltBodygt
ltTextgt
ltTextgt
ltOrdergt
ltTextgt
ltTextgt
ltTextgt
ltItemgt
ltQuantgt
ltTextgt
ltAcct Numgt
ltPricegt
ltTextgt
ltTextgt
ltTextgt
ltTextgt
ltTextgt
ltTextgt
ltTextgt
All are subtypes of Node
18
DOM Parsing Memory Requirements
19
SAX Specific Exploits

What about stream-based parsing?
In general, less vulnerable
Usage dependent
Context-free filtering
Overlapped parsing and consumption
Stream replay and storage

20
Context-Free Filtering

Single element search
Event Callbacks Required
startDocument() / endDocument()
startElement() / endElement()
All other data is filtered and lost

XML
E1,E2,E3,,En
Trash
?
Application
21
Overlapped Parsing and Consumption

Ordered Processing
Read XML in chunks and then process
Simple content models with repetition
Very little content caching

XML
E1,E2,E3,,En
Trash
Application
22
Stream Replay and Storage

Context-sensitive SAX parsing
Caching (replay) of complete documents or
subdocuments
Can approach DOM-like memory usage

XML
E1,E2,E3,E4,E5,E6,E7,,En
Trash
Application
In-memory
23
XML Parsing Conclusions

DOM parsing is a memory hog
SAX parsing can be a memory hog
Usage dependent

24
Typical Countermeasures

W3C Schema Validation
Standardized grammar validation
Validate the document against a schema to ensure
that it matches

25
Schema Validation Problems

Parsing Precondition
Paradox You have to parse before you validate
Extensible Standard Schemas
Schema is not by design a security feature

26
Parsing Precondition

Logical split between parsing and validation
Naïve implementations parse first and then
validate second, when it is too late
Smarter implementations can begin schema
validation while parsing, but cant finish until
parsing finishes
Sequence of elements a, b, c I need to parse
to the end to see if the element c is present.
Pathological nodes are always parsed before
validated
Schema validation comes too late
Special checks outside of schema validation
(limit enforcement) are required

27
XML Schema Extensibility

Value in general, extensible content models
Not practical to be so restrictive
ltxsany processContentslax"
maxOccurs"unbounded"/gt
Weakest Link Property
An attacker only needs to find one extensibility
point
Explicit schema hardening breaks standards
Hardened schemas are vulnerable if not protected
by a digital signature or trusted source

28
OASIS WS-Security Schema Example

ltxsdcomplexType name"SecurityHeaderType"gt
ltxsdsequencegt
ltxsdany processContents"lax" minOccurs"0
maxOccurs"unbounded"gt
ltxsdannotationgt
ltxsddocumentationgtThe use of "any" is to allow
extensibility and different forms of security
data.lt/xsddocumentationgt
lt/xsdannotationgt
lt/xsdanygt
lt/xsdsequencegt
ltxsdanyAttribute namespace"other
processContents"lax" /gt
lt/xsdcomplexTypegt

29
Schema Validation Inadequate

Schema valid ltwsseSecuritygt element
ltwsseSecurity xmlnswssehttp//www.docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-s
ecext-1.0.xsd
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
ltAttackgtDoSlt/Attackgt
lt/wsseSecuritygt

30
Structural Threat Prevention Requirements

Wire speed Limit Enforcement for XML Parsing
Oversize payloads
Oversized element names, attribute names and
processing instruction target names.
Limiting the maximum number of attributes per
element.
Limiting the depth (nesting) of elements.
Limits on the size of the processing
instructions, comments, single CDATA items, and
attribute values
Wire speed Schema Validation for hardened schemas
Wire speed XPath Filtering
Used to filter XML based on known traffic

31
Semantic Threats
32
SQL Injection Example

Assume that a query is being run as follows
query "select count() from users where
userName " userName ' and userPass "
password "
Boolean short-circuiting techniques
select count() from users where userName'john'
and userPass'' or 11 --'

33
SQL Injection

Web Applications are highly susceptible
Weak typing of Web-based languages
Ease of use vs. Security
Ad-hoc coercion of data-types
SOAP-based applications are less susceptible
Easier to enforce stronger typing with SOAP
SOAP faults may return extra information
ltfaultstringgt element returns stack traces

34
SOAP SQL Injection Example
ltsoapEnvelope xmlnssoap gt ltsoapBodygt
ltfnPerformFunction xmlnsfn gt
ltfnuidgt8123lt/fnuidgt ltfnpasswordgt
or 11 or password lt/fnpasswordgt
lt/fnPerformFunctiongt lt/soapBodygt lt/soapEnvelo
pegt

Strong typing mitigates the attack on the uid
parameter

35
SOAP Array Attack
ltsoapEnvelope xmlnssoap gt ltsoapBodygt
ltfnPerformFunction xmlnsfn xmlnsns gt
ltDataSet xsitype"nsArray"
nsarrayType"xsdstring100000"gt ltitem
xsitype"xsdstring"gtData1lt/itemgt ltitem
xsitype"xsdstring"gtData2lt/itemgt ltitem
xsitype"xsdstring"gtData3lt/itemgt
lt/DataSetgt lt/fnPerformFunctiongt
lt/soapBodygt lt/soapEnvelopegt

DoS Condition with memory pre-allocation

36
Typical Countermeasures

W3C Schema Validation
Standardized Grammar validation
Schema ltpatterngt Facet / Regular Expressions
Stronger Schema datatypes
Application Checks
Strong typing and input validation can prevent
SQL injection style attacks

37
Schema Validation Problems

Manual Schema Modification
Stronger typing must be manually added to schemas
Breaks standards
Highly Tedious
Incomplete Protection
Regex Capabilities inadequate

38
ltPatterngt Facet Example

ltxssimpleType name"zipcode"gt
ltxsrestriction base"xsstring"gt
ltxspattern value"0-95(-0-94)?"/gt
lt/xsrestrictiongt
lt/xssimpleTypegt
You must specify the entire value space
Logical negation of an expression not possible
Cant say Dont allow any documents with
SELECT, WHERE, OR, 11 within element X.

39
Semantic Threat Prevention Requirements

Wire speed word filter
Case blind or case sensitive
Regex filter
Scanning for double dash, single quote, hash
SOAP Attachment Scanning
Case blind or case sensitive
Wire speed Schema Validation for hardened schemas

40
XML Web Services The Universal Tunnel
41
De-Perimiterization

XML Web Services are more than just a different
class of network traffic
XML Web Services represents a crucial paradigm
shift of the network perimeter.
XML Web Services provide a universal tunnel

42
Network Targets
Circa 1995
Circa 2005

VPN (IPSec/SSL)
SCP
SSH
RDP
SRTP
IMAPS
SMTP
HTTPS
SOAP/XML

SLIP/PPP
FTP
Telnet
Gopher
IMAP
POP
rlogin
HTTP
SMTP

43
Universal Tunnel Problems

I need to get this file to you and cant wait
for the network guys to open up FTP, just
download my WSDL and build a client for it
In principle, secure versions of existing
protocols can be re-implemented quite easily over
XML Web Services
XML Web Services platforms provide quick and easy
deployment of services
Future prediction Open Source XML Web Services
implementing existing network protocols
FTP/Telnet/SSH/SCP/RDP/IMAP

44
Security Cycle
1995 Proliferation of Internet-based Protocols
Deployed protocols are porus and provide
multi-vector attack opportunities
2005 Proliferation of Secure Replacements
XMLWeb Services developed
XML Web Services and the universal tunnel
45
Summary