wsChess Toolkit

Book - Hacking Web Services

2006-08-18T10:37:00.000-07:00

Web Services are an integral part of next generation Web applications. The development and use of these services is growing at an incredible rate, and so too are the security issues surrounding them. Hacking Web Services is a practical guide for understanding Web services security and assessment methodologies. Written for intermediate-to-advanced security professionals and developers, the book provides an in-depth look at new concepts and tools used for Web services security. Beginning with a brief introduction to Web services technologies, the book discusses Web services assessment methodology, WSDL -- an XML format describing Web services as a set of endpoints operating on SOAP messages containing information -- and the need for secure coding. Various development issues and open source technologies used to secure and harden applications offering Web services are also covered. Throughout the book, detailed case studies, real-life demonstrations, and a variety of tips and techniques are used to teach developers how to write tools for Web services. If you are responsible for securing your company's Web services, this is a must read resource!

More information

Releasing 1.5

2006-01-28T01:05:00.000-08:00

Following changes are included.

+ Few bugs are solved
+ wspawn is now querying Xmethods. UBRs are closed for Microsoft, IBM etc.
+ wsknight has analysis engine in place. You can supply regex patterns and wsaudit will detect them. It will change color of text. Sample rule file is included.

Domain footprinting is branched out into MSNPawn

2006-01-11T05:38:00.000-08:00

It is in the form of new tool called MSNPawn.

MSNPawn has been designed and developed on the .Net framework and must be installed on the system. The following utilities have been bundled with MSNPawn.

MSNHostFP - Supply an IP Address or IP Address range to fetch all possible virtual hosts or application running on each IP addresses.

MSNDomainFP - Supply a domain name to fetch the top 50 child domains, considering the supplied domain name as parent.

MSNCrossDomainFP - Supply an application domain to fetch the top 50 domains pointing to this particular domain on the Internet.

MSNCrawler - Supply a domain or application name to fetch all possible links crawled by the search engine.

MSNFetch - Supply a domain and rules file. The tool will run each rule in the file against the domain specified and fetch the first five results of the resultant query. This can help in assessing an application.

Search.MSN - Provides place to run your search against MSN and gather all URLs.

Whitepaper is included for better understanding for all these tools.

[Download]

[Download paper]

Releasing beta 1.4

2005-08-07T23:14:00.000-07:00

Some bugs are rectified in this build. These bugs were in following areas
1. wsKnight - SOAP action tag in header and host
2. WSsearch - Parsing error
3. Domain footprinting is removed from wspawn and planning to build a seperate tool.

Thanks for reporting bugs. Few more stuff to be added in next build.

Releasing beta 1.3

2005-06-06T02:29:00.000-07:00

wsKnight is updated with 4 new audit/attack vectors. This will help in auditing or testing web services.

1. Bruteforcing - One can specify user/pass fields and map it to files. This will launch bruteforcing combinations on the wire.
2. Buffer overflow - Specify parameter and buffer size.
3. LDAP and XPath injection - This is very simple just a different category.

Stay tune more to go.

Cheers!

ASP.NET web services advisory

2005-05-24T23:09:00.000-07:00

wschess helped in finding this bug in ASP.NET. Recent finding on ASP.NET is posted on security tracker.
Read Here

Releasing beta 1.2

2005-05-17T05:37:00.000-07:00

Changes are as follows

1. Doamin footprinting is added to wspawn. Methodlogy is discussed in paper [Read]
2. wspawn threading is much more controlled now with option to stop.
3. wspawn's command line is also posted which can run under linux with mono.

Planning to add few more audit/attack modules for xpath,xss,ldap etc in wsknight in next release.

[External] Beta 1.1

2005-04-26T03:17:00.000-07:00

Following changes are made
1. Threaded engine in place
2. GUI thread is different from core
3. SSL support is added
4. Messaging improved

That is it! stay tuned for next.

[Internal] Beta 1.1 released

2005-04-18T09:52:00.000-07:00

Threaded engine in place with separate UI thread. Possible to do several activities at the same time. Key SSL support is added for all tools and possible to assess any SSL enabled application.

wsChess 1.0 (beta/prototype) - Web Services Assessment and Defense toolkit

2005-04-09T03:42:00.000-07:00

A set of tools written C# for the .Net platform. This is a prototype, released as beta with limited support at this point. It has the following tools:

wsPawn - Web services footprinting, discovery and search tools. If you are looking for registered web services and their access points, this tool will help you in retrieving information from public UDDI.

wsKnight - Web services profiling, proxy and audit tool. This tool helps in profiling web services from its WSDL. It also allows you to invoke methods and intercept them before they go on the wire to the target, so that you can manipulate the SOAP envelope if needed. The autoaudit feature allows you to inject characters and attack strings for assessment work.

wsRook - This is a very simple technology demonstration for developers. This is a regular expression-based defense for web services input content. This is a hook in HTTP pipe using the HttpModule interface.

Whitepapers are included for better understanding for all these tools.

Read & Download

[Internal] wsRook & wsAudit

2005-04-02T09:49:00.000-08:00

With GUI wsAudit is released for internal use. wsRook - a small prototype created.

Paper for wsRook methodology - IHttpModule

2005-03-30T09:47:00.000-08:00

Web applications are vulnerable to many attacks, mainly due to poor input validation at the source code level. Firewalls can block access to ports but once a web application goes live and TCP ports 80 and 443 are accessible, the web application can be an easy prey for attackers. HTTP traffic is legitimate traffic for web applications; all the more reason to include application-level content-filtering over unencrypted and encrypted communication channels. Application-level content filtering is possible to some extent but may not work over HTTPS (port 443). The only way to provide a strong defense is by applying powerful content-filtering at the application-level for both TCP port 80 and TCP port 443.

The .Net framework with ASP.NET provides the IHttpModule interface access to HTTP pipes - the lowest of programming layers - before an incoming HTTP request hits the web application. This can provide defense at the gates. In this paper, we look at how one can build this sort of defense in all three aspects - coding, deployment and configuration.
Read Here

[Internal] wsProxy tool released

2005-03-20T05:41:00.000-08:00

wsProxy is TCP intercepter for SOAP envelope - prototype released.

wsEnum methodology

2005-03-18T09:44:00.000-08:00

Web services assessment can begin with a corporate name or some other such bit of information. This simple hint offers a wealth of information that needs to be unearthed. Focus first on locating single or multiple access points for a particular corporate. The methodology, which includes web services footprinting, discovery and search, is described in another paper (http://packetstormsecurity.org/papers/web/Defense_using_mod_security.pdf). Once an access point for a web service is uncovered, the next obvious step is to extract information from it.

Web services are deployed to invoke remote calls over HTTP/HTTPS. To make calls such as these, requires that information about the calls be shared with the end client. In the past, during the days of CORBA, developers used to share IDL (Interface Definition Language) files providing the required information over the network. Now, in the days of web services this has changed to WSDL (Web Services Definition Language). WSDL is a major source for information and can help in the enumeration process. We shall go over the enumeration process in subsequent sections.
Read Here

wsEnum tool

2005-01-04T09:43:00.000-08:00

wsEnum comand line version released. This tool parses WSDL file and profile web services.

[Internal] wsPawn release

2004-12-20T19:55:00.000-08:00

wsPawn ported on .Net framework with command line utility. Ristricted release with footprinting and discovery features only. Google search is not part of it.

Paper on methodology for wsPawn

2004-11-25T07:54:00.000-08:00

Web Services is growing at a rapid rate and bringing into focus, new security issues in the web security landscape. How do we start assessing web services deployed at any corporate location? That is the fundamental question and once again it all starts with information gathering. UDDI, WSDL and SOAP are three cornerstones of this technology and they can be powerful tools for information gathering. Universal Business Registry (UBR) can help in footprinting using UDDI. UBR and technology fingerprinting can be used to perform discovery of web services. The scope in this paper is limited to only the first phase, namely the Web Services Information Gathering Phase. The entire methodology for web services information gathering is covered in this paper. The next two phases of the Assessment methodology are enumeration and defining attack vectors, both extensive topics too. These will be taken up in later papers.
Infosecwriters (Read Here)

wsFootprinting in Java...

2004-11-18T03:52:00.000-08:00

Prototype of wsPawn was released and demo at HITB 2004. This is a technology and method demonstration.

wsChess Methodology defined

2004-10-15T03:43:00.000-07:00

HITB (Hack In The Box) 2004 Presentation by shreeraj Shah: "Web Services - Attacks and Defense Strategies, Methods and Tools". The web service is the new security Lego Land. The main building blocks are UDDI, SOAP and WSDL. This presentation will briefly touch upon each of these aspects.

Read Here