Test environment: Difference between revisions

From WS-Attacks
Jump to navigation Jump to search
(This guide is under construction.)
 
(Added Introduction, Requirements and Installation of the web service frameworks)
Line 1: Line 1:
This guide is under construction.
'''Building a test environment for penetration tests with WS-Attacker'''
 
== Introduction ==
WS-Attacks.org provides information about a large number of web service specific attacks. In addition to the presented information you might want to execute the attacks yourself in order to fully understand how they work ''(and why they work)''. In this guide we will show you how to build your own test environment allowing you to attack sample web services using “WS-Attacker”.
 
[https://github.com/RUB-NDS/WS-Attacker/ WS-Attacker] is a tool for automatic penetration tests of web services. It is built as a modular framework which can be extended with attack plugins. It comes with multiple plugins representing different attack types. For example, WS-Attacker can be used to test if a web service is vulnerable to [http://ws-attacks.org/XML_Signature_Wrapping XML Signature Wrapping], [http://ws-attacks.org/SOAPAction_Spoofing SOAPAction Spoofing] and different Denial-of-Service attacks.
 
First we will tell you which software is required in order to follow the later steps of this guide, then we will show you how to install/set up four widely used web service frameworks and how to build and deploy some sample services for these frameworks. These sample web services are located at this Github repository: [https://github.com/RUB-NDS/SOAP-Test-Webservices SOAP Test Web Services] In the last step we will explain how to build WS-Attacker from source and give you links to tutorials that explain how to use WS-Attacker.
 
== Requirements ==
In this guide we will use Windows Server 2012 R2 as the operation system because one of the web service frameworks used in later steps is part of the Windows-exclusive .NET Framework. We recommend to build your test environment based on a Windows operation System as well if you want to test web services built with the .NET Framework. Nevertheless, a test environment can be built on a Linux machine if you want to focus on the other three frameworks, which are all based on Java. If you want to use a Linux machine you need to modify the file paths and find out how to set environment variables yourself. In both cases we recommend to use a virtual machine as the base for your test environment.
 
 
First we need to “install” some software that is needed in later steps of this guide:
 
''Note: We assume [http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html Java SDK] (8 or newer) and the [https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/ .NET Framework] (4.6.2 or newer) are already installed on your system.''
# Apache '''Ant''': Download the latest binary release from [http://ant.apache.org/bindownload.cgi here] and extract the contents of the zip file to “C:\Ant”.
# Apache '''Maven''': Download the latest binary release from [https://maven.apache.org/download.cgi here] and extract the contents of the zip file to “C:\Maven”.
# Apache '''Tomcat''': Download the latest stable binary “Core” release zip from [http://tomcat.apache.org/download-80.cgi here] and extract the contents of the zip file to “C:\Tomcat”. ''Note: At the time this guide was written the latest stable release was 8.5.x. There will be stable releases of version 9.0 in the future.''
# Create new environment variables pointing to the installation folders and modify the environment variable “PATH”. This can be done via the <u>command line</u> or via a <u>GUI</u>:
## <u>Command line</u>: Open a command line with administrator rights and execute the following commands:
##* setx -m ANT_HOME "C:\Ant"
##* setx -m M2_HOME "C:\Maven"
##* setx -m JAVA_HOME "C:\Program Files\Java\jdk1.8.0_101" ''Note: You need to modify this value according to the correct path of your JDK installation!''
##* setx -m CATALINA_HOME "C:\Tomcat"
##* setx -m PATH "%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;%PATH%"
## <u>GUI</u>: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “ANT_HOME” and the value “C:\Ant”. Create another variable with the name “M2_HOME” and the value “C:\Maven”. Create another variable with the name “JAVA_HOME” and the value “C:\Program Files\Java\jdk1.8.0_101”. ''Note: You need to modify this value according to the correct path of your JDK installation!'' Create another variable with the name “CATALINA_HOME” and the value “C:\Tomcat”. Select the variable “PATH” ''(sometimes named ''“Path”'')'' from the “System variables” list and click on “Edit…”, then add “%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;” at the beginning of the present value. Make sure that there are not two semicolons next to each other. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
# In both cases you need to reboot your system in order to activate the created environment variables.
 
== Installation of the web service frameworks ==
In the following chapter we will describe how to install the three Java-based web service frameworks “[http://ws-attacks.org/index.php?title=Test_environment#Apache_Axis2 Apache Axis2]”, “[http://ws-attacks.org/index.php?title=Test_environment#Apache_CXF Apache CXF]” and “[http://ws-attacks.org/index.php?title=Test_environment#Metro Metro]”. As mentioned before the fourth web service framework used in this guide is part of the .NET Framework which should already be installed. The later used web services are built for the [https://www.microsoft.com/en-us/download/confirmation.aspx?id=53321 4.6.2 version] of the .NET Framework. Make sure you have installed this (or a newer) version.
 
If you only want to test web services with one or two of the frameworks you can easily skip the frameworks you don´t want to use. In case you want to conduct penetration tests of web services built with the .NET Framework only, you can skip this whole chapter.
 
=== Apache Axis2 ===
# Download the latest binary release from [http://axis.apache.org/axis2/java/core/download.html here] and extract the contents of the zip file to “C:\Frameworks\Axis2”.
# Set an environment variable pointing to the installation folder. This can be done via the <u>command line</u> or via a <u>GUI</u>: ''(In both cases you need to reboot your system in order to make the changes take effect.)''
## <u>Command line</u>: Open a command line with administrator rights and execute the following command:
##* setx -m AXIS2_HOME "C:\Frameworks\Axis2"
## <u>GUI</u>: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “AXIS2_HOME” and the value “C:\Frameworks\Axis2”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
# Download the latest binary release of “Apache Rampart” from the [https://axis.apache.org/axis2/java/rampart/download.html project`s website] and extract the contents of the zip file to any folder. ''(for example C:\Rampart)''
# Copy the two <nowiki>*.mar</nowiki> files from the folder “modules” to “C:\Frameworks\Axis2\repository\modules”. Copy the <nowiki>*.jar</nowiki> files from the folder “lib” to “C:\Frameworks\Axis2\lib”.
 
=== Apache CXF ===
# Download the latest binary release from [http://cxf.apache.org/download.html here] and extract the contents of the zip file to “C:\Frameworks\CXF”.
# Set an environment variable pointing to the installation folder and modify the variables “PATH” and “CLASSPATH”. This can be done via the <u>command line</u> or via a <u>GUI</u>: ''(In both cases you need to reboot your system in order to make the changes take effect.)''
## <u>Command line</u>: Open a command line with administrator rights and execute the following commands:
##* setx -m CXF_HOME "C:\Frameworks\CXF"
##* setx -m PATH "%CXF_HOME%\bin;%PATH%"
##* setx -m CLASSPATH ".;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;%CLASSPATH%"
## <u>GUI</u>: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “CXF_HOME” and the value “C:\Frameworks\CXF”. Select the variable “PATH” ''(sometimes named ''“Path”'')'' from the “System variables” list and click on “Edit…”, then add “"%CXF_HOME%\bin;” at the beginning of the present value. Select the variable “CLASSPATH” from the “System variables” list and click on “Edit…”, then add “.;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;” at the beginning of the present value. If the variable “CLASSPATH” is not present in the list, create it. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
 
=== Metro ===
# Download the latest release from [https://metro.java.net/latest/download.html here] and extract the contents of the zip file to “C:\Frameworks\Metro”.
# Copy the four files “webservices-rt.jar”, “webservices-tools.jar”, “webservices-extra.jar” and “webservices-extra-api.jar” from “C:\Frameworks\Metro\lib” to the Tomcat lib folder (“C:\Tomcat\lib”).
# Copy the “webservices-api.jar” file from “C:\Frameworks\Metro\lib” to “C:\Tomcat\endorsed”. If the folder “endorsed” does not exist, create it.
# Set an environment variable pointing to the installation folder. This can be done via the <u>command line</u> or via a <u>GUI</u>: ''(In both cases you need to reboot your system in order to make the changes take effect.)''
## <u>Command line</u>: Open a command line with administrator rights and execute the following command:
##* setx -m METRO_HOME "C:\Frameworks\Metro"
## <u>GUI</u>: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “METRO_HOME” and the value “C:\Frameworks\Metro”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
 
 
If you have not done this before, reboot your system in order to activate the created environment variables.

Revision as of 12:58, 7 October 2016

Building a test environment for penetration tests with WS-Attacker

Introduction

WS-Attacks.org provides information about a large number of web service specific attacks. In addition to the presented information you might want to execute the attacks yourself in order to fully understand how they work (and why they work). In this guide we will show you how to build your own test environment allowing you to attack sample web services using “WS-Attacker”.

WS-Attacker is a tool for automatic penetration tests of web services. It is built as a modular framework which can be extended with attack plugins. It comes with multiple plugins representing different attack types. For example, WS-Attacker can be used to test if a web service is vulnerable to XML Signature Wrapping, SOAPAction Spoofing and different Denial-of-Service attacks.

First we will tell you which software is required in order to follow the later steps of this guide, then we will show you how to install/set up four widely used web service frameworks and how to build and deploy some sample services for these frameworks. These sample web services are located at this Github repository: SOAP Test Web Services In the last step we will explain how to build WS-Attacker from source and give you links to tutorials that explain how to use WS-Attacker.

Requirements

In this guide we will use Windows Server 2012 R2 as the operation system because one of the web service frameworks used in later steps is part of the Windows-exclusive .NET Framework. We recommend to build your test environment based on a Windows operation System as well if you want to test web services built with the .NET Framework. Nevertheless, a test environment can be built on a Linux machine if you want to focus on the other three frameworks, which are all based on Java. If you want to use a Linux machine you need to modify the file paths and find out how to set environment variables yourself. In both cases we recommend to use a virtual machine as the base for your test environment.


First we need to “install” some software that is needed in later steps of this guide:

Note: We assume Java SDK (8 or newer) and the .NET Framework (4.6.2 or newer) are already installed on your system.

  1. Apache Ant: Download the latest binary release from here and extract the contents of the zip file to “C:\Ant”.
  2. Apache Maven: Download the latest binary release from here and extract the contents of the zip file to “C:\Maven”.
  3. Apache Tomcat: Download the latest stable binary “Core” release zip from here and extract the contents of the zip file to “C:\Tomcat”. Note: At the time this guide was written the latest stable release was 8.5.x. There will be stable releases of version 9.0 in the future.
  4. Create new environment variables pointing to the installation folders and modify the environment variable “PATH”. This can be done via the command line or via a GUI:
    1. Command line: Open a command line with administrator rights and execute the following commands:
      • setx -m ANT_HOME "C:\Ant"
      • setx -m M2_HOME "C:\Maven"
      • setx -m JAVA_HOME "C:\Program Files\Java\jdk1.8.0_101" Note: You need to modify this value according to the correct path of your JDK installation!
      • setx -m CATALINA_HOME "C:\Tomcat"
      • setx -m PATH "%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;%PATH%"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “ANT_HOME” and the value “C:\Ant”. Create another variable with the name “M2_HOME” and the value “C:\Maven”. Create another variable with the name “JAVA_HOME” and the value “C:\Program Files\Java\jdk1.8.0_101”. Note: You need to modify this value according to the correct path of your JDK installation! Create another variable with the name “CATALINA_HOME” and the value “C:\Tomcat”. Select the variable “PATH” (sometimes named “Path”) from the “System variables” list and click on “Edit…”, then add “%M2_HOME%\bin; %JAVA_HOME%\bin;%ANT_HOME%\bin;” at the beginning of the present value. Make sure that there are not two semicolons next to each other. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
  5. In both cases you need to reboot your system in order to activate the created environment variables.

Installation of the web service frameworks

In the following chapter we will describe how to install the three Java-based web service frameworks “Apache Axis2”, “Apache CXF” and “Metro”. As mentioned before the fourth web service framework used in this guide is part of the .NET Framework which should already be installed. The later used web services are built for the 4.6.2 version of the .NET Framework. Make sure you have installed this (or a newer) version.

If you only want to test web services with one or two of the frameworks you can easily skip the frameworks you don´t want to use. In case you want to conduct penetration tests of web services built with the .NET Framework only, you can skip this whole chapter.

Apache Axis2

  1. Download the latest binary release from here and extract the contents of the zip file to “C:\Frameworks\Axis2”.
  2. Set an environment variable pointing to the installation folder. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following command:
      • setx -m AXIS2_HOME "C:\Frameworks\Axis2"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “AXIS2_HOME” and the value “C:\Frameworks\Axis2”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.
  3. Download the latest binary release of “Apache Rampart” from the project`s website and extract the contents of the zip file to any folder. (for example C:\Rampart)
  4. Copy the two *.mar files from the folder “modules” to “C:\Frameworks\Axis2\repository\modules”. Copy the *.jar files from the folder “lib” to “C:\Frameworks\Axis2\lib”.

Apache CXF

  1. Download the latest binary release from here and extract the contents of the zip file to “C:\Frameworks\CXF”.
  2. Set an environment variable pointing to the installation folder and modify the variables “PATH” and “CLASSPATH”. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following commands:
      • setx -m CXF_HOME "C:\Frameworks\CXF"
      • setx -m PATH "%CXF_HOME%\bin;%PATH%"
      • setx -m CLASSPATH ".;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;%CLASSPATH%"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “CXF_HOME” and the value “C:\Frameworks\CXF”. Select the variable “PATH” (sometimes named “Path”) from the “System variables” list and click on “Edit…”, then add “"%CXF_HOME%\bin;” at the beginning of the present value. Select the variable “CLASSPATH” from the “System variables” list and click on “Edit…”, then add “.;%CXF_HOME%\lib\cxf-manifest.jar;.\build\classes;” at the beginning of the present value. If the variable “CLASSPATH” is not present in the list, create it. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.

Metro

  1. Download the latest release from here and extract the contents of the zip file to “C:\Frameworks\Metro”.
  2. Copy the four files “webservices-rt.jar”, “webservices-tools.jar”, “webservices-extra.jar” and “webservices-extra-api.jar” from “C:\Frameworks\Metro\lib” to the Tomcat lib folder (“C:\Tomcat\lib”).
  3. Copy the “webservices-api.jar” file from “C:\Frameworks\Metro\lib” to “C:\Tomcat\endorsed”. If the folder “endorsed” does not exist, create it.
  4. Set an environment variable pointing to the installation folder. This can be done via the command line or via a GUI: (In both cases you need to reboot your system in order to make the changes take effect.)
    1. Command line: Open a command line with administrator rights and execute the following command:
      • setx -m METRO_HOME "C:\Frameworks\Metro"
    2. GUI: Press the Windows Button and search for “Edit the system environment variables”. Click on “Environment Variables…”. Click “New…” to create a new environment variable. Enter the name “METRO_HOME” and the value “C:\Frameworks\Metro”. Click “OK” to close the “Environment Variables” window and “OK” again to close the “System Properties” window.


If you have not done this before, reboot your system in order to activate the created environment variables.