[OWASP-Chapters] RE: [OWASP-Ireland] Web services - DV Auth or Auth DV???

Tony Palmer tony.palmer at vordel.com
Wed Jun 8 10:38:28 EDT 2005 

Eoin et al.
    Thanks for the mention. At Vordel we would recommend that bad
messages should be blocked as soon as possible and with the minimum
amount of CPU cycles / network usage. And of course logged.
 
We note that when authentication is performed first, the likelihood that
a message will fail content validation is drastically reduced. Clients
that authenticate successfully should not be intentionally sending bad
XML. (Otherwise you are doing business with shady people and you will
not be around for long anyway.) For  XML and Web Services most traffic
is machine to machine, authentication or content validation errors are
usually due to misconfiguration and easily rectified.
 
Now this becomes moot if a valid login is obtained illegally. In the
event of an attack you would expect to see multiple errors such as
Authorization failures, Content Validation etc. Eoin is correct in that
Vordel can be configured to alert such anomalous behaviour to a firewall
and block subsequent attacks at the network level.
 
To prevent the attacker gaining a valid login by sniffing we recommend
the usage of SSL. If you restrict certain services to a subset of your
customer base then IP filtering at the application (XML Firewall) layer
can prevent users accessing services from unknown locations, even if
they obtain a valid login. We see this quite frequently, whilst the XML
firewall is publicly addressable individual services are dedicated to a
small number of high usage clients. e.g.  Banks connecting to a Telco.
 
Now there is the issue that John seems to have happened upon that seems
worthy of a mention. His system gives different errors depending on the
security check that fails. Vordel acknowledges that whilst custom error
responses are handy when developing a system they have no place in
secure production systems. Vordel recommends that a standard error
response is sent such as 'Request Denied'. You should never give an
attacker hints.
 
Once XML systems are up and running *any* security processing errors are
a noteworthy event worth checking out.
 
Have a read of our CTO's article
http://www.looselycoupled.com/opinion/2004/oneill-trust-infr1213.html
 
Regards,
Tony
 

-----Original Message-----
From: owasp-ireland-admin at lists.sourceforge.net
[mailto:owasp-ireland-admin at lists.sourceforge.net] On Behalf Of
Eoin.Keary at allianz.ie
Sent: 08 June 2005 10:38
To: marmelstein at eircom.net
Cc: owasp-chapters at lists.sourceforge.net;
owasp-ireland at lists.sourceforge.net;
owasp-ireland-admin at lists.sourceforge.net
Subject: Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???



Hi John, 
I was chatting to Dr Tony Palmer of Vordel about this last week. 
The first thing from the point of not doing any extra CPU time for
unauthenticated requests to the authenticate. 
One solution is not to have the UserId and password "In band", inside
the SOAP message so we auth then DV. Use Out of Band credentials (in the
HTTP request as opposed to the XML message) 

Using a SAX parser instead of a DOM to do  initial parsing would also
help performance. 
Some of the Vordel suite of solutions can actually talk to the firewall
to block suspected rogue requests. 

An XML schema on both sides of the transaction is also a good idea if
possible, but it cant be guaranteed that the requesting  entity shall
use the schema to validate their request and can not be relied on in its
entirety. 

Anyways, We (Ireland OWASP) hope to have Dr Palmer (or one of his
colleagues) give us a presentation on Webservices security at the next
OWASP meeting. 

Eoin 








Eoin Keary
Contractor
Allianz Ireland
IT Security (Tech Admin)
Security Projects Division
Dir: + 353-1-613-3490
Mob: + 353-87-904-1922
Mailto:eoin.keary at allianz.ie
Ph  01 6133490 




"John Marmelstein" <marmelstein at eircom.net> 
Sent by: owasp-ireland-admin at lists.sourceforge.net 


06/08/2005 08:06 AM 


Please respond to
<marmelstein at eircom.net>



To
owasp-ireland at lists.sourceforge.net,
owasp-chapters at lists.sourceforge.net 

cc

Subject
Re: [OWASP-Ireland] Web services - DV Auth or Auth DV???

	





Hello All,
(first posting from a 'top ten' adopter)

I suggest that authentication is the one to do first. But, there are
arguments on both sides. The advantage of authentication is that it can
reduce the risk of malicious data attack. An attacker may send a payload
aimed at doing damage during the xml parsing or data-validation utility
(DV). I know that the DV is made with the intention of being resistant
to this, but complex messages might be hard to validate safely. This is
in contrast to messages received from html forms, which can be safely
validated if they are all text strings.

Going further, there's a case for splitting the validation process.
First, a 'sanity check' on the message. Then, authenticate. Finally,
proper validation. For example; 
1- Check that is valid XML or SOAP. Maybe some broadly
application-specific stuff, such as checking that the message only has
text elements, no non-parse 'CDATA' bits. Or, that it is smaller than a
certain size. 
2- Authenticate username/password
3- Application-specific data validation.
This may sound over-elaborate, but I don't think it's too bad. A typical
environment might have a dedicated web-server (Apache, perhaps) in front
of an Application Server (WebLogic, perhaps). The 'step 1' above could
be efficiently done in the Apache, and a category of bad messages
blocked within the DMZ. The same basic sanity check should work for many
or all applications. Then again, this step can also be done by many
firewall products, so may not be worth getting into.

bye,
John M
__________________
John Marmelstein
www.StrongPoint.ie


>"Eoin Keary" <eoinkeary at hotmail.com> wrote:
> Hi,
> Just I'd throw this out so see opinion:
> 
> A webservice:
> Uses HTTPS. The Payload (SOAP) is in the HTTP Header.
> The password and UserId are also in the HTTP header as header
parameters.
> (We can see the obvious issues here already?!#!?)
> 
> So,
> The service needs a requester to be authenticated.
> So sneding SOAP request (Over HTTPS) to this service gives us "Access 
> Denied" as I put in an incorrect password...ok so far
> Sending a modified request which the XML schema does not like
(malformed > request for example) gives us a Data validation error....So
DV is done > before authentication.
> 
> Which should come first in the case of webservices...?
> DV or Auth.
> If DV is first we may be able to do a DoS by sending 1000's of
requests, > each one needing to be DV'ed. (Webservices are prone to DOS
attacks).
> By doing Auth first, we need to DV the userId and password,
Authenticate and 
> then continue with the DV, which is complex....
> 
> Anyone have any ideas which should be first, the "chicken or the egg"?
> I have my own opinions but what do you good people think?




_________________________________________________________________
eircom broadband is now up to four times faster than before.
Phone 1850 73 00 73 or visit http://home.eircom.net/broadbandoffer




-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
shotput
a projector? How fast can you ride your desk chair down the office luge
track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
OWASP-Ireland mailing list
OWASP-Ireland at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-ireland



************************************************************************
******
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. If you have received this email in error please 
contact the Helpdesk at 3955.
************************************************************************
*******








xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are
companies of the Allianz Group, Europe's leading global insurer and
provider of financial services. 
For more information on our products and services log on to
www.allianz.ie or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action or reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you have
received this in error, please contact the sender and delete the
material from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish
Financial Services Regulatory Authority (IFSRA). 
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the
Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx








This email and any files transmitted with it are confidential and/or privileged.
They are intended solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient please note that any review, dissemination,
disclosure, alteration, printing, copying or transmission of this email and/or any file
transmitted with it is prohibited. If you have received this email and/or any file 
transmitted with in error, please notify info at vordel.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-chapters/attachments/20050608/d763b272/attachment.html

More information about the Owasp-chapters mailing list