Starling stars FlowEye intrusion-Explanation of WebService application Vulnerabilities

Starling stars FlowEye intrusion-Explanation of WebService application Vulnerabilities

WebService is a Web application branch that can execute any function from simple requests to complex business processing. After deployment, other WebService applications can discover and call the services deployed by the application. WebService technology enables different applications running on different machines to exchange data or integrate with each other without additional, specialized third-party software or hardware. Therefore, many distributed, modular applications and service-oriented application integration all adopt the WebService technology.

However, WebService technology provides openness and cross-platform convenience for us, while also setting up security risks for users. At the same time, when illegal personnel successfully intrude into the application by exploiting WebService vulnerabilities, the traditional security protection methods have little effect. Starling's FlowEye product is a leading product in the intrusion analysis field and is very intuitive and effective in discovering such intrusions. In the following example, FlowEye finds that hackers use the WebService interface to obtain illegal data in a user's network. It is imperative to pay attention to WebService Interface security.

In March 2016, March 7, an alarm event was generated in the Starling star FlowEye system deployed on the user's network. On the wide alarm page, an isolated alarm message attracted special attention. According to the alarm information, port 7013 of an IP address (43.224.52.23) from Urumqi, Xinjiang Uygur Autonomous Region, and the IP address XX. XXX. XX.134 in the Intranet generated illegal access and the traffic reached 3.394 MB. See Figure 1:

Figure 1

This alarm immediately attracted the attention of the security administrator. The Security Administrator then looked at the alarm information and found that during the period from 10:09:19 to 10:10:25, the IP address in the distance from had four accesses to the Intranet server, as shown in Figure 2:

Figure 2

The Administrator continues to view the details of each access,

1st times:

The hacker calls a WebService method. The method called is searchversionForPlat. The link is

Http://XXX.XXX.XX.XXX: 7013/handtask/services/DocsInfoService internal address, the request content is: The server finally returns access success and carries the following download link in the returned string: http://XXX.XXX.XX. 235: 7013/handtask/apk/zsyw66.apk, as shown in Figure 3:

Figure 3

2nd times:

Hackers directly

Http: // XXX. XXX. XX. XXX: 7013/handtask/apk/zsyw66.apk for access, but the access is forcibly interrupted by the system, as shown in Figure 4

Figure 4

3rd Times:

Apparently, the hacker did not give up his mind. He continued to try to access http: // XXX. XXX. XX. XXX: 7013/handtask/apk/zsyw66.apk. The access generated m of traffic, and the APK was downloaded by hackers.

4th times:

This time, the hacker calls another method and links it to another internal address. The system returns a successful access and the system returns a string of encrypted information, as shown in Figure 5:

Figure 5

Now, the Administrator has mastered the details of this incident and we will restore it completely:

To facilitate the daily work of O & M personnel, the user develops a set of handheld apps, And the IP address XX. XXX. XX.134 is the server of the handheld APP system. According to the company's management requirements, the terminal that can install the handheld APP client must be authenticated before the terminal can be installed and work on the handheld APP. However, for some reason, two WebService interfaces are available for the handheld APP client, one unencrypted and the other encrypted. The hacker used the unencrypted WebService interface to obtain the installation package of the APP client without APP Server Authentication, at the same time, after comparing the information returned by the encrypted WebService interface with the information returned by the unencrypted interface, the key of the encrypted interface is obtained.

The security administrator not only detected WebService application interface vulnerabilities in the handheld APP system, but also detected security vulnerabilities in the APP system's client authentication.

Conclusion:

The Starling FlowEye system monitors whether illegal intercommunication exists. It helps users detect illegal intrusions in real time and helps users quickly locate the IP addresses of hosts infiltrated by the Intranet, it also helps users analyze the specific process of intrusion and identify the risk points of the business system. FlowEye is a very effective security product in the field of intrusion analysis.