Professional Documents
Culture Documents
Brian Holyfield
Gotham Digital Science
http://www.gdssecurity.com
labs@gdssecurity.com
AppSec DC
November 12, 2009
Session Objectives
Introduction to WCF
Tools & Techniques for Pen-testing WCF Services
Session Outline
WCF Overview
Silverlight WCF Web Services
WCF and WS-Security
Duplex Services
OWASP 2
WTF is WCF?
OWASP
What’s new with WCF?
OWASP
Security Properties of ServiceHostBase
OWASP 5
ABCs of WCF Endpoints
OWASP
WCF Addresses
[transport]://[machine or domain][:optional
port]/[optional uri]
OWASP
WCF Bindings
OWASP
WCF Bindings
OWASP
WCF Contracts
OWASP
WCF Contracts: Opt-In Approach
OWASP
Attacking WCF Services
OWASP 12
Example 1: Silverlight Client Service
OWASP
HTTP/S Proxies and MC-NBFS
OWASP 14
Fiddler: Binary XML Inspector
OWASP 15
MSBin1 Burp Proxy Plug-In
OWASP 16
MSBin1 Burp Proxy Plug-In
Attacker
OWASP 17
MSBin1 Burp Proxy Plug-In
OWASP 18
Obtaining MetaData from a WCF Endpoint
HTTP-GET
Same as legacy ASMX
Retrieved by appending “?wsdl” to the address
OWASP 19
MetaData Helper Page
OWASP 20
Obtaining MetaData from a WCF Endpoint
[snip]
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
[…]
<!-- To avoid disclosing metadata information, set the value
below to false and remove the metadata endpoint above before
deployment -->
<serviceMetadata httpGetEnabled="true"/>
[snip]
OWASP
Basic MEX Request Structure
POST /MyService.svc/mex HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Host: wcf.example.com
Content-Length: 565
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-
envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action>
http://schemas.xmlsoap.org/ws/2004/09/transfer/Get
</a:Action>
<a:To>
http://wcf.example.com/MyService.svc/mex
</a:To>
</s:Header>
<s:Body/>
</s:Envelope>
OWASP 22
Manual Testing Utilities
WcfTestClient
Ships with Visual Studio 2008+
Automatically Parses WSDL or MEX
http://weblogs.asp.net/blogs/guillermo/Code/WcfTestClient.zip
WCF Storm
Supports most WCF bindings, including MC-NBFS over HTTP
Free Lite Version available
http://www.wcfstorm.com/wcf/download-wcfstorm-lite.aspx
OWASP 23
Obtaining MetaData from a Silverlight XAP
OWASP
Example 2: Secure WCF Bindings
OWASP 25
Determining WCF Security Settings
OWASP 26
WCF Message Security
OWASP
WS-S Anonymous Message Encryption
OWASP 28
Writing a Custom WCF Test Client
OWASP 29
Writing a Custom WCF Test Client
OWASP 30
Writing a Custom WCF Test Client
OWASP 31
Writing a Custom WCF Test Client
<behaviors>
<endpointBehaviors>
<behavior name="NoCertValidation">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"
revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
OWASP 32
WS-S Username Credentials
OWASP 33
WS-S Username Credentials
but NOT:
<serviceMetadata httpsGetEnabled="true"/>
OWASP 34
Example 3: WCF Duplex Services
OWASP
WSDualHttpBinding
OWASP 36
Abusing WSDualHttpBinding
OWASP 37
Brian Holyfield
Gotham Digital Science
http://www.gdssecurity.com
labs@gdssecurity.com
OWASP