Test environment

From WS-Attacks
Jump to: navigation, search

Building a test environment for penetration tests with WS-Attacker

Introduction

WS-Attacks.org provides information about a large number of web service specific attacks. In addition to the presented information you might want to execute the attacks yourself in order to fully understand how they work (and why they work). In this guide we will show you how to build your own test environment allowing you to attack sample web services using “WS-Attacker”.

WS-Attacker is a tool for automatic penetration tests of web services. It is built as a modular framework which can be extended with attack plugins. It comes with multiple plugins representing different attack types. For example, WS-Attacker can be used to test if a web service is vulnerable to XML Signature Wrapping, SOAPAction Spoofing and different Denial-of-Service attacks.

First we will tell you which software is required in order to follow the later steps of this guide, then we will show you how to install/set up four widely used web service frameworks and how to build and deploy some sample services for these frameworks. These sample web services are located at this Github repository: SOAP Test Web Services In the last step we will explain how to build WS-Attacker from source and give you links to tutorials that explain how to use WS-Attacker.

Requirements

In this guide we will use Windows Server 2012 R2 as the operation system because one of the web service frameworks used in later steps is part of the Windows-exclusive .NET Framework. We recommend to build your test environment based on a Windows operation System as well if you want to test web services built with the .NET Framework. Nevertheless, a test environment can be built on a Linux machine if you want to focus on the other three frameworks, which are all based on Java. If you want to use a Linux machine you need to modify the file paths and find out how to set environment variables yourself. In both cases we recommend to use a virtual machine as the base for your test environment.


First we need to “install” some software that is needed in later steps of this guide:

Note: We assume Java SDK (8 or newer) and the .NET Framework (4.6.2 or newer) are already installed on your system.

  1. Apache Ant: Download the latest binary release from here and extract the contents of the zip file to “C:\Ant”.
  2. Apache Maven: Download the latest binary release from here and extract the contents of the zip file to “C:\Maven”.
  3. Apache Tomcat: Download the latest stable binary “Core” release zip from here and extract the contents of the zip file to “C:\Tomcat”. Note: At the time this guide was written the latest stable release was 8.5.x. There will be stable releases of version 9.0 in the future.
  4. Create new environment variables pointing to the installation folders and modify the environment variable “PATH”. This can be done via the command line or via a GUI:
    1. Command line: Open a command line with administrator rights and execute the following commands:
      • setx -m ANT_HOME "C:\Ant"
      • setx -m M2_HOME "C:\Maven"
      • setx -m JAVA_HOME "C:\Program Files\Java\jdk1.8.0_101" Note: You need to modify this value according to the correct path of your JDK installation!
      • setx -m CATALINA_HOME "C:\Tomcat"
      • setx -m PATH "%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;%PATH%"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “ANT_HOME” and the value “C:\Ant”. Create another variable with the name “M2_HOME” and the value “C:\Maven”. Create another variable with the name “JAVA_HOME” and the value “C:\Program Files\Java\jdk1.8.0_101”. Note: You need to modify this value according to the correct path of your JDK installation! Create another variable with the name “CATALINA_HOME” and the value “C:\Tomcat”. Select the variable “PATH” (sometimes named “Path”) from the “System variables” list and click on “Edit…”, then add “%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;” at the beginning of the present value. Make sure that there are not two semicolons next to each other. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
  5. In both cases you need to reboot your system in order to activate the created environment variables.

Installation of the web service frameworks

In the following chapter we will describe how to install the three Java-based web service frameworks “Apache Axis2”, “Apache CXF” and “Metro”. As mentioned before the fourth web service framework used in this guide is part of the .NET Framework which should already be installed. The later used web services are built for the 4.6.2 version of the .NET Framework. Make sure you have installed this (or a newer) version.

If you only want to test web services with one or two of the frameworks you can easily skip the frameworks you don´t want to use. In case you want to conduct penetration tests of web services built with the .NET Framework only, you can skip this whole chapter.

Apache Axis2

  1. Download the latest binary release from here and extract the contents of the zip file to “C:\Frameworks\Axis2”.
  2. Set an environment variable pointing to the installation folder. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following command:
      • setx -m AXIS2_HOME "C:\Frameworks\Axis2"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “AXIS2_HOME” and the value “C:\Frameworks\Axis2”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
  3. Download the latest binary release of “Apache Rampart” from the project`s website and extract the contents of the zip file to any folder. (for example C:\Rampart)
  4. Copy the two *.mar files from the folder “modules” to “C:\Frameworks\Axis2\repository\modules”. Copy the *.jar files from the folder “lib” to “C:\Frameworks\Axis2\lib”.

Apache CXF

  1. Download the latest binary release from here and extract the contents of the zip file to “C:\Frameworks\CXF”.
  2. Set an environment variable pointing to the installation folder and modify the variables “PATH” and “CLASSPATH”. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following commands:
      • setx -m CXF_HOME "C:\Frameworks\CXF"
      • setx -m PATH "%CXF_HOME%\bin;%PATH%"
      • setx -m CLASSPATH ".;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;%CLASSPATH%"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “CXF_HOME” and the value “C:\Frameworks\CXF”. Select the variable “PATH” (sometimes named “Path”) from the “System variables” list and click on “Edit…”, then add “"%CXF_HOME%\bin;” at the beginning of the present value. Select the variable “CLASSPATH” from the “System variables” list and click on “Edit…”, then add “.;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;” at the beginning of the present value. If the variable “CLASSPATH” is not present in the list, create it. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.

Metro

  1. Download the latest release from here and extract the contents of the zip file to “C:\Frameworks\Metro”.
  2. Copy the four files “webservices-rt.jar”, “webservices-tools.jar”, “webservices-extra.jar” and “webservices-extra-api.jar” from “C:\Frameworks\Metro\lib” to the Tomcat lib folder (“C:\Tomcat\lib”).
  3. Copy the “webservices-api.jar” file from “C:\Frameworks\Metro\lib” to “C:\Tomcat\endorsed”. If the folder “endorsed” does not exist, create it.
  4. Set an environment variable pointing to the installation folder. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following command:
      • setx -m METRO_HOME "C:\Frameworks\Metro"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “METRO_HOME” and the value “C:\Frameworks\Metro”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.


If you have not done this before, reboot your system in order to activate the created environment variables.

Building and deploying sample web services

After the web service frameworks and all other required programs are installed it is time to build some test web services that can be attacked with WS-Attacker.

Note: Most of the web service frameworks come with sample web services. Nevertheless, we will use our own small test services because some attacks that can be executed with WS-Attacker are not applicable to the existing sample web services.

The test web services we will build use different WS-Security configurations. There are 8 different configurations, however some web services can't be built with all frameworks:

  1. "1": This web service doesn't use any features to secure the messages. It provides two different functions to make it possible to execute the "SOAPAction Spoofing" attack. It also is the base for all other web services.
  2. "Enc": This web service is based on the first one and makes use of encryption. The first child element of the SOAP-Body is encrypted.
  3. "Sign": This web service adds a signature to the first web service. The signed element is the SOAP-Body.
  4. "TS": This web service makes use of timestamps to "prevent" replay attacks. Note: The timestamps are not signed so that they can be easily manipulated.
  5. "Enc+Sign": This web service is the combination of the web services 2 and 3. First the first child element of the SOAP-Body is encrypted, then the SOAP-Body is signed.
  6. "Enc+TS": This web service is the combination of the web services 2 and 4. The first child element of the SOAP-Body is encrypted and a timestamp is added to the message. Note: The timestamps are not signed so that they can be easily manipulated.
  7. "TS+Sign": This web service is the combination of the web services 3 and 4. First a timestamp is added to the message, then the SOAP-Body and the timestamp are signed.
  8. "Enc+TS+Sign": This web service is the combination of the web services 2, 3 and 4. The first child element of the SOAP-Body is encrypted and a timestamp is added to the message. Afterwards the SOAP-Body and the timestamp are signed.

All web services make use of the SOAPAction parameter and have WS-Addressing support.


Due to the fact that Axis2, CXF and Metro are all based on Java it is possible to reuse parts of a service built for one of the frameworks for the other frameworks. The web services which use the .NET Framework are written in C# (or Visual Basic) and therefore need to be developed independently.

First we download public-/private-key pairs which are needed to communicate with some web services. Then we will download the source code of a few CXF, Axis2, Metro and WCF web services and compile them. Afterwards we will deploy/start the web services.

Again if you don´t want to use all frameworks you can skip the sections about the frameworks you don´t want.

Public-/private-key pairs

Before we start to build sample web services with the four web service frameworks we need to download a public-/private-key pair for both the service and the client. We will use the same key pairs for all the sample services of all frameworks.

Head over to the “Release” section of the Github Repository and download the “certificates-3.0.0.zip” file. Extract the contents of this file to “C:\Keystores”.

The .jks files are “Java Keystores” which are needed if you want to send messages to the web services manually using “SoapUI”. The two .p12 files are certificates which need to be imported into the windows certificate store to be accessible for the WCF web services. In order to import the certificates into the windows certificate store you need to double click them and follow the instructions. Make sure to choose the “Store Location” “Local Machine” and the “Certificate store” “Personal”.Both the .jks and the .p12 files are secured by passwords. You can find the required passwords in the “passwords.txt” file which is also included in the “certificates-1.0.0.zip” file.


If you don´t want to compile the web services yourself, you can skip the next sections. You can download binary versions of the web services in the “Release” section of the Github Repository. Extract the downloaded zip files to “C:\Webservices”. The web services of the Axis2, CXF and Metro framework are packed in .war archives. You can deploy these .war files by following the instructions in section “Starting the web services”. The web services of the WCF framework are served with one console application which can be started by simply executing the “WCF.exe” file.

Downloading the source code

Head over to the Github Repository and download the source code of the web services as a zip file. Extract the contents of the downloaded zip file to “C:\Webservices”.

Building the web services

To build the downloaded web services you need to open a command line.


Apache CXF: Navigate to the folder of the web services (“C:\Webservices\CXF”) and execute the command: mvn clean install

This will create a “target” folder and a “CXF.war” file within this folder.


Metro: Navigate to the folder of the first Metro web service (“C:\Webservices\Metro\Metro-1”) and build it by executing the following command: ant clean server

Ant will build the web service, create a “war” file and copy that “war” file automatically to Tomcat´s “webapp” folder.

Repeat these steps for all 8 Metro web services.


Apache Axis2: Navigate to the folder of the first Axis2 web service (“C:\Webservices\Axis2\Axis2-1”) and build it by executing the following command: ant

Ant will build the web service, create a “aar” file and copy that “aar” file automatically to the “repository” folder of the Axis2 framework.

Repeat these steps for all 7 Axis2 web services.

Afterwards navigate to “C:\Frameworks\Axis2\webapp” and execute the following command: ant create.war

This will pack the Axis2 framework and all web services that were built before into a “war” file.


WCF: In order to build the WCF web services you need to download and install “Visual Studio”. Open Visual Studio and click on “File”, “Open”, “Project/Solution…”. Navigate to the folder “C:\Webservices\WCF” and select the “WCF1.sln” file.

Afterwards click on “Build” and select “Build Solution”.

Starting the web services

The web services of the CXF, Metro and Axis2 framework can be deployed with Apache Tomcat:

  • Apache CXF: Copy the “CXF.war” file from “C:\Webservices\CXF\target” to “C:\Tomcat\webapps”.
  • Metro: As mentioned before the war files are automatically copied to “C:\Tomcat\webapps” during the build process.
  • Apache Axis2: Copy the “axis2.war” file from “C:\Frameworks\Axis2\dist” to “C:\Tomcat\webapps”.

If you downloaded the binary versions of the web services from the release section of the Github Repository you need to copy all .war files from the “C:\Webservices” folder to the “C:\Tomcat\webapps” folder in order to deploy the Axis2, CXF and Metro web services with Tomcat.


Start Tomcat by opening a command line and executing the following command: (including the quotation marks)

“%CATALINA_HOME%\bin\startup.bat”

The Tomcat server might need a couple of minutes to finish the first startup process. If an alert from the windows firewall pops up, allow it.

Afterwards you can check if the services are deployed correctly by opening a web browser and entering one of the following URLs:

http://localhost:8080/CXF/1/?wsdl

http://localhost:8080/metro-1/?wsdl

http://localhost:8080/axis2/services/axis2-1?wsdl


WCF: The compiled WCF web services are served with a console application. This console application is in the folder “C:\Webservices\WCF\WCF1\bin\Debug”. Start the web services by executing the “WCF.exe”. You will need administrator rights.

If you downloaded the binary versions of the WCF web services from the release section of the Github Repository the “WCF.exe” file should be in the “C:\Webservices\WCF” folder.

Invoking the web services

If everything works correctly the web services are available on the following addresses: (Depending on your Tomcat configuration the used port for Axis2, CXF and Metro might be different.)

(x = 1, enc, ts, sign, encts, encsign, tssign, enctssign)

Axis2: http://localhost:8080/axis2/services/axis2-x?wsdl

CXF: http://localhost:8080/CXF/x/?wsdl

Metro: http://localhost:8080/metro-x/?wsdl

WCF:

Testing a sample service with WS-Attacker

After we installed the web service frameworks and built sample web services for them the last thing we need to do before we the tests can start is building the tool WS-Attacker from source:# First we need to download the WS-Attacker source code from the Github repository: WS-Attacker source code

  1. Extract the contents of the zip file to any folder, for example “C:\WS-Attacker”.
  2. Open a command line window and navigate to “C:\WS-Attacker”. Build the web service by executing the following command: mvn clean package -DskipTests
  3. Run WS-Attacker by executing the following commands:
    • cd runnable
    • java -jar WS-Attacker-1.8-SNAPSHOT.jar

If you don´t want to build WS-Attacker yourself, you can download the binaries of an older version from here. In this older version there are some attack plugins missing (XML Encryption Attack, DoS Compression Attack).

Now that we have set up sample web services and built WS-Attacker we are ready to finally execute a couple of attacks against web service.

There are already two good tutorials that explain how to use WS-Attacker, both written by developers of WS-Attacker.

The first one written by Christian Mainka explains how to configure and use the XML Signature Wrapping Plugin in order to test if a web service is vulnerable to this type of attack.

The second one written by Juraj Somorovsky explains the XML Encryption attack plugin and shows how to attack a web service that uses XML Encryption.

In addition to these two tutorials there also exists a documentation of an older version of WS-Attacker which explains the use of some of the plugins: WS-Attacker Documentation

In order to start a penetration test with WS-Attacker you need a sample request for the web service you want to test. If you want to test a WCF web service, you can obtain a request by capturing the network traffic (for example using Wireshark with Npcap to sniff on the local interface of a windows machine) while executing the client for the web service. The WCF clients can be started by executing the .exe file in the corresponding folder. For example, the client for the WCF-TSSign web service can be started by executing the “ClientTSSign.exe” from the “C:\Webservices\WCF\Client-TSSign\bin\Debug” folder. If you downloaded the binary version instead of building the web services yourself, the “ClientTSSign.exe” will be located in the “C:\Webservices\WCF” folder.

If you want to test a Axis2, CXF or Metro web service, you can obtain a request by using “SoapUI”. Preconfigured SoapUI projects can be found in the folder “C:\Webservices\SoapUI Projects” if you downloaded the source code of the web services. Otherwise you can download the SoapUI projects from the “Release” section of the Github Repository.

Start SoapUI, click “File”, select “Import Project” and select the project file for the web service you want to test.

Note: SoapUI comes with an old and buggy version of the “Apache XML Security for Java” library. If you want to test a web service that uses encryption you need to replace this library. Download the newer version of the library from here, extract the zip file and copy the “xmlsec-1.5.8.jar” file to the SoapUI lib folder. (“C:\Program Files\SmartBear\SoapUI-5.2.1\lib”). Delete the existing “xmlsec-1.4.5.jar”.

Note: You should restart Tomcat/the console application after you tested one web service, before you start to test another one.

If you want to execute Denial of Service attacks against the sample web services, you have to keep in mind that the payload can´t be placed everywhere WS-Attacker tries to place it. For example, placing the payload inside of a signed element results in an invalid signature and the web service will reject the message. You can find xml files containing messages with the allowed injection places for some of the web services in the Github Repository of the sample web services. If you downloaded the source code and built the web services yourself, you can find the xml files in “C:\Webservices\DoS Testmessages”.