Web services are used by many applications and are essential for the infrastructure of the modern Internet. Among other things, they enable applications to connect to social networks and provide their own services for third parties. However, web services have become the target of serious attacks due to implementation flaws within recent years. These attacks take advantage of the complexity of the XML standards and allow attackers to read sensitive data from external servers, or to decrypt confidential data.
In this training, web service technologies will be introduced and numerous attack techniques used to attack SOAP-based web services will be presented using examples. Afterward, the participants will have the opportunity to execute various attacks themselves in a virtual machine prepared by us. First, the attacks are executed manually (for example, using SoapUI) in order to get a feeling for the underlying vulnerabilities. We will then introduce our penetration testing tool WS-Attacker, which can be used to automatically test many of these attacks. The virtual machine is usable offline and can be used by participants for further internal education after the course has ended.
Due to the importance of integrating web services into your enterprise ecosystem, it is essential to understand and address the problems of these technologies. The training will address the following questions, among others:
- How do I use an XML parser correctly?
- How do I check an XML document‘s signature correctly?
- Which risks need to be considered when using WS-* extensions?
- Is encrypting my messages with TLS sufficient?
- How can I protect my systems against attackers?
- XML and SOAP-based Web Services
- XML Schema and WS-Policy
- WS-Addressing and WS-Addressing Spoofing
- XML Parsing (DOM vs. SAX)
- XML-specific Denial-of-Service Attacks
- XML Security and WS-Security
- Differences to SSL/TLS
- XML Signature
- ID- and XPath-based XML Signatures
- XML Signature Wrapping Attacks
- XML Encryption
- Attacks on Symmetric Encryption
- Attacks on Asymmetric Encryption
- Penetration Testing with WS-Attacker
- Outlook: SAML-based Single Sign-On
- REST-based Web Services
- Attacks and Best Practices
Requirements: This training is designed for primarily two target audiences:
- Developers who use XML and web services in practice.
- Penetration testers and security researchers who want to learn how to evaluate the security of those systems are addressed.