Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
-
Upload
sylvain-maret -
Category
Technology
-
view
4.909 -
download
0
Transcript of Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
![Page 1: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Sécurité des Web Services (SOAP vs REST)
Sylvain MARET
Principal Consultant / MARET Consulting / @smaret
OpenID Switzerland & OWASP Switzerland
05/06.11.2012, Version 1.1 @smaret
![Page 2: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/2.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
2
![Page 3: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/3.jpg)
Bio
• 18 years of experience in ICT Security
• Principal Consultant at MARET Consulting
• Expert & Lecturer at University of Applied Sciences (Yverdon)
• Swiss French Area delegate at OpenID Switzerland
• Co-founder Application Security Forum #ASFWS
• OWASP Member
• Author of the blog: la Citadelle Electronique
• http://ch.linkedin.com/in/smaret or @smaret
• http://www.slideshare.net/smaret
• Chosen field – AppSec / Digital Identity Security / Cyber Defense
3
![Page 4: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/4.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
4
![Page 5: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/5.jpg)
Web Service ?
5
XML, JSON, etc. Consumer Provider
![Page 6: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/6.jpg)
Un peu d’histoire
• 1990 : DCE/RPC – Distributed Computing Environment
• 1992 : CORBA – Common Object Request Broker Architecture
• 1990-1993 : Microsoft’s DCOM -- Distributed Component Object Model
• 1995: RMI – Monde Java
• Pour arriver à une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
– SOAP
– REST
– Etc.
6
Web Service
![Page 7: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/7.jpg)
Typical Web Services environment
7 Source: Mastering Web Services Security / www.wiley.com
![Page 8: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/8.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
8
![Page 9: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/9.jpg)
SOAP: Démystification des technologies
• Langages
– XML
– WSDL : Descripteur du service
– UDDI: Annuaire des services
– Xpath
• Protocoles
– Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP)
– Message: Enveloppe SOAP
• Sécurité
– WS-Security (Signature & Chiffrement)
• Autres éléments
– AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.
9
![Page 10: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/10.jpg)
Enveloppe SOAP
10
- SOAP : Simple Object Access Protocol - Permet l’envoi de messages XML
Source= wikipédia
![Page 11: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/11.jpg)
11
SOAP request
SOAP response
![Page 12: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/12.jpg)
UDDI
• Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fondé sur XML et plus particulièrement destiné aux services Web.
12
![Page 13: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/13.jpg)
WSDL
• WSDL est une grammaire XML permettant de décrire un Service Web.
• Le WSDL sert à décrire : – le format de messages requis pour communiquer avec ce
service
– les méthodes que le client peut invoquer
– la localisation du service
– le protocole de communication (SOAP RPC ou SOAP orienté message)
13
http://fr.wikipedia.org/wiki/Web_Services_Description_Language
![Page 14: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/14.jpg)
WSDL
14 http://predic8.com/wsdl-reading.htm
![Page 15: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/15.jpg)
WSDL: exemple
15
![Page 16: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/16.jpg)
SOAP: Démystification des protocoles
16
UDDI
WSDL
SOAP / XML
HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)
IP
Découverte
Description
Message
Protocole
Transport
![Page 17: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/17.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
17
![Page 18: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/18.jpg)
REST: Démystification des technologies
• Langages
– XML
– JSON
– XHTML, HTML, PDF... as data formats
• Protocoles
– HTTP(s) Utilisation d’une URL
– Méthode de communication (GET, POST, PUT, DELETE)
• Sécurité
– Sécurité du transport (SSL/TLS)
– Sécurité des messages: HMAC / Doseta / JWS, etc. (Like XML Signature)
• Autres éléments
– Oauth, API Keys, etc.
18
![Page 19: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/19.jpg)
Représentation REST (exemple JSON)
19
![Page 20: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/20.jpg)
Méthodes REST
20
![Page 21: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/21.jpg)
REST: Démystification des protocoles
21
XML, JSON, etc.
HTTP, HTTPS
TCP/IP
Message
Protocole
Transport
WADL, Swagger *** Description
*** Avant-gardiste!
??? Découverte
![Page 22: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/22.jpg)
Example
22
![Page 23: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/23.jpg)
Example Twitter (OAuth)
23
![Page 24: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/24.jpg)
24
![Page 25: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/25.jpg)
SOAP vs REST
25
![Page 26: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/26.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
26
![Page 27: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/27.jpg)
27 http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es
![Page 28: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/28.jpg)
28
![Page 29: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/29.jpg)
Modèle STRIDE
29
https://www.owasp.org/index.php/Application_Threat_Modeling
![Page 30: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/30.jpg)
Menaces - DFD Acme SA
• Threat 1 – Interception des messages (Information disclosure)
– Modification des messages (Tampering)
– Usurpation d’identité (Spoofing)
• Threat 2 – Attaque de l’application
• BoF
• Injection
• DoS & DDoS
• Etc
30
![Page 31: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/31.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
31
![Page 32: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/32.jpg)
ACME SA: Réduction des risques ?
• Chiffrement du transport
• AuthN
• SSL Mutual AuthN / X509
• WAF / XML Gateway
• Intégrité et confidentialité des messages
• Secure Coding
32
![Page 33: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/33.jpg)
Chiffrement du transport
33
SOAP / XML REST
HTTPS SSL/TLS tunnel SSH IPSEC Etc.
HTTPS
![Page 34: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/34.jpg)
AuthN
34
SOAP / XML REST
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc.
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys JSON Web Token (JWT)
![Page 35: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/35.jpg)
SSL Mutual AuthN / X509 / PKI
35
SOAP / XML REST
SSL/TLS Mutual AuthN** SSL/TLS Mutual AuthN**
** Man in the middle not possible… (As I Know)
![Page 36: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/36.jpg)
WAF / XML Gateway (Protection périmétrique)
36
SOAP / XML REST
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List Validation WSDL Signature & Verification Encryption & Decryption SAML
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List
![Page 37: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/37.jpg)
Intégrité et confidentialité des messages
37
SOAP / XML REST
XML Signature XML Encryption
•(p.ex: HMAC, Doseta) • JSON Web Signature (JWS) – Draft v7 • JSON Web Encryption
** Pas de chiffrement à ma connaissance
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-07
![Page 38: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/38.jpg)
Example XML Signature (SOAP)
38
![Page 39: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/39.jpg)
Example JSON “Signature”
39
![Page 40: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/40.jpg)
Code security
40
SOAP / XML REST
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification
![Page 41: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/41.jpg)
Agenda
• Qu’est-ce qu’un Web Service ?
• SOAP
• REST
• Threat Modeling / ACME SA
• Réduction des risques
• Conclusion
• Questions
41
![Page 42: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/42.jpg)
Conclusion
• SOAP: – Implémenter les standards WS-* liés à la sécurité?
– Mettre en place un filtrage applicatif (WAF, XML GW)
– Complexe à mettre en œuvre (PKI, Secure coding, Cryptography, etc.)
– Architecture à forte contrainte de sécurité
• REST – Mettre en place un filtrage applicatif (WAF, XML GW)
– Implémentation rapide et facile tendance
– Architecture de type Cloud, Intranet, Social Login, etc.
– Emergence des standards (JSON Web Algorithms)
• On attend avec impatience les standards sécu pour REST ???
– Pragmatique: protection périmétrique, chiffrement et Secure Coding ???
42
![Page 43: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/43.jpg)
Approche périmétrique vs WS-Security ?
43
![Page 44: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/44.jpg)
Questions?
44
![Page 45: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/45.jpg)
Merci / Thank you!
Contact:
@smaret
http://www.maret-consulting.ch
Slides: http://slideshare.net/ASF-WS/
45
![Page 46: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/46.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
46
Backup Slides
By Sylvain Maret
![Page 47: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/47.jpg)
47
![Page 48: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/48.jpg)
SoapBox
48
![Page 49: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/49.jpg)
Capture HTTP
49
![Page 50: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/50.jpg)
Signer le message
50
![Page 51: Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012](https://reader036.fdocuments.us/reader036/viewer/2022081507/555a07cad8b42ad00a8b53df/html5/thumbnails/51.jpg)
Signer le message
51