 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / July 2005Bypass WSE security using a HttpWebRequest?
Hi We are in the process of implementing some WSE-enabled webservices for the first time, and are now in the process of testing. It works fine using .Net client code that has been "WSE'd" (i.e. Visual Studio generates the "Wse" suffixed web service proxys), and we can see from various logs that WSE is processing the requests on the server. I wanted to simulate a replay attack, so I copied a previously-received soap envelope from the "InputTrace.webInfo" log file on the server, and wrote a simple client app that sends this to the WS using a HttpRequest (see code below). I expected WSE to reject it, but this approach seems to completely bypass WSE, and the webmethod executes successfully as though WSE isn't there. Even putting jibberish into the soap envelope (e.g. the nonce or password digest), or even removing whole sections (such as the UsernameToken) doesn't affect it. I am also a little suprised that I am able to use my browser to test the webmethod (i.e. via the Invoke button), again acting as if WSE isn't there. Am I missing something stupid? Surely this can't be a (rather large) security hole in WSE? string xml = @"<?xml version=""1.0"" encoding=""utf-8"" ?>"; xml += @"<soap:Envelope xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:wsa=""http://schemas.xmlsoap.org/ws/2004/03/addressing"" xmlns:wsse=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"" xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"">"; xml += @"<soap:Header>"; xml += @"<wsa:Action>http://www.xxx.co.uk/HwroeServiceInterfaceIntranet/GetPdaDatabaseVersion</wsa:Action>"; xml += @"<wsa:MessageID>uuid:98d778d5-1970-45fa-a493-2172ef56abe1</wsa:MessageID>"; xml += @"<wsa:ReplyTo>"; xml += @"<wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>"; xml += @"</wsa:ReplyTo>"; xml += @"<wsa:To>http://localhost/HwroeServiceInterfaceIntranet/PdaServices.asmx</wsa:To>"; xml += @"<wsse:Security soap:mustUnderstand=""1"">"; xml += @"<wsu:Timestamp wsu:Id=""Timestamp-6fba8b3e-10d4-481d-9b26-84ab46a3adf4"">"; xml += @"<wsu:Created>2005-07-05T14:00:00Z</wsu:Created>"; xml += @"<wsu:Expires>2005-07-05T14:05:00Z</wsu:Expires>"; xml += @"</wsu:Timestamp>"; xml += @"<wsse:UsernameToken xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"" wsu:Id=""SecurityToken-5998b927-31a7-4778-91ed-4058ae944f1e"">"; xml += @"<wsse:Username>CL701P</wsse:Username>"; xml += @"<wsse:Password Type=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#PasswordDigest"">j8ohdLGEMoaT9ue/LoDxbsPYq6Y=</wsse:Password>"; xml += @"<wsse:Nonce>sfXD8hxSBJWYADDJW5avxw==</wsse:Nonce>"; xml += @"<wsu:Created>2005-07-05T15:27:11Z</wsu:Created>"; xml += @"</wsse:UsernameToken>"; xml += @"</wsse:Security>"; xml += @"</soap:Header>"; xml += @"<soap:Body>"; xml += @"<GetPdaDatabaseVersion xmlns=""http://www.xxx.co.uk/HwroeServiceInterfaceIntranet/"" />"; xml += @"</soap:Body>"; xml += @"</soap:Envelope>"; XmlDocument doc = new XmlDocument(); doc.LoadXml(xml); HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://localhost/hwroeserviceinterfaceintranet/pdaservices.asmx/GetPdaDatabaseVersion"); req.Headers.Add("SOAPAction","\"\""); req.ContentType = "text/xml;charset=\"utf-8\""; req.Accept = "text/xml"; req.Method = "POST"; Stream stm = req.GetRequestStream(); doc.Save(stm); stm.Close(); WebResponse resp = req.GetResponse(); stm = resp.GetResponseStream(); StreamReader r = new StreamReader(stm); string s = r.ReadToEnd(); // (s now contains the response from the successfully executed webmethod) Many thanks Andrew Stephens .Net Consultant "What are you going to do? Set the dogs on me? Or the bees? Or the dogs with bees in their mouths and every time they bark they shoot bees?" Hi Andy, Do you have any form of protection requirements at the WSE service, in the form of policy or something? By default, when you install WSE, you get the ability to secure messages, however, if you don't specify the request to be signed or encrypted, or the at the service for all incoming requests to be signed or encrypted, then one can easily send simple non-secure ASMX messages. You can see the WSE Documentation on how to use policy to secure messages. Also, with regards to the Invoke button. This is a test page that you see when you browse a .asmx web service through a browser. The invoke button automatically shows up only on the local machine. If you try to access this from a remote machine, you will not get this invoke button (unless you explicitly enable the HttpPost protocol in the web.config or machine.config of the server). Also, if you really wanted to even block this Invoke button on the test page to even execute your web method, you can do the following at the start your web method: if (RequestSoapContext.Current == null) throw new ApplicationException("Only SOAP requests are allowed"); Let me know if this makes sense. Thanks, Sidd [MSFT] > Hi > [quoted text clipped - 24 lines] > xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" > xmlns:wsa=""http://schemas.xmlsoap.org/ws/2004/03/addressing"" xmlns:wsse=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-secext-1.0.xsd"" xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-utility-1.0.xsd"">"; > xml += @"<soap:Header>"; > xml += @"<wsa:Action>http://www.xxx.co.uk/HwroeServiceInterfaceIntranet/GetPdaDatab aseVersion</wsa:Action>"; > xml += @"<wsa:MessageID>uuid:98d778d5-1970-45fa-a493-2172ef56abe1</wsa:MessageID>"; > xml += @"<wsa:ReplyTo>"; > xml += @"<wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymo us</wsa:Address>"; > xml += @"</wsa:ReplyTo>"; > xml += @"<wsa:To>http://localhost/HwroeServiceInterfaceIntranet/PdaServices.asmx</w sa:To>"; > xml += @"<wsse:Security soap:mustUnderstand=""1"">"; > xml += @"<wsu:Timestamp [quoted text clipped - 3 lines] > xml += @"</wsu:Timestamp>"; > xml += @"<wsse:UsernameToken xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-utility-1.0.xsd"" > wsu:Id=""SecurityToken-5998b927-31a7-4778-91ed-4058ae944f1e"">"; > xml += @"<wsse:Username>CL701P</wsse:Username>"; > xml += @"<wsse:Password Type=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-toke n-profile-1.0#PasswordDigest"">j8ohdLGEMoaT9ue/LoDxbsPYq6Y=</wsse:Password>" ; > xml += @"<wsse:Nonce>sfXD8hxSBJWYADDJW5avxw==</wsse:Nonce>"; > xml += @"<wsu:Created>2005-07-05T15:27:11Z</wsu:Created>"; [quoted text clipped - 11 lines] > > HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://localhost/hwroeserviceinterfaceint ranet/pdaservices.asmx/GetPdaDatabaseVersion"); > req.Headers.Add("SOAPAction","\"\""); > [quoted text clipped - 18 lines] > "What are you going to do? Set the dogs on me? Or the bees? Or the dogs with > bees in their mouths and every time they bark they shoot bees?" Hi Sidd, thanks for the reply. Yes, we are using a policyCache.config file (see below). We have implemented our own UsernameTokenManager; the overridden AuthenticateToken() method authenticates the username and password against a database, creates an IPrincipal and populates it with roles, then assigns this to the token's Principal. The policy file uses a role-based <Claims> section. I came across the code snippet to check to reject non-soap requests yesterday, but it is quite worrying that if a developer forgets to add this, anyone can call WSE webservices using a HttpWebRequest, and completely bypass WSE as if it wasn't there at all! Policy file: <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <defaultEndpoint> <defaultOperation> <request policy="#ValidateUsernameToken" /> <response policy="" /> <fault policy="" /> </defaultOperation> </defaultEndpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <wsp:Policy wsu:Id="ValidateUsernameToken"> <SecurityToken wsp:Usage="wsp:Required" xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" > <TokenType> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken </TokenType> <Claims xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <wse:Role value="Admin" /> </Claims> </SecurityToken> </wsp:Policy> </policies> </policyDocument> Andrew Stephens .Net Consultant "What are you going to do? Set the dogs on me? Or the bees? Or the dogs with bees in their mouths and every time they bark they shoot bees?" Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.