Protect XML Web services from hackers [Part I]

web|xml| attacks protect XML Web services from hacker attacks [Part I] [] second part]
Matt Powell
Microsoft Corporation
September 5, 2001 Brief Introduction
In the process of talking to developers about the future of XML Web services, we learned that one of their biggest concerns was that the fear of weaknesses in the software might make the service vulnerable to malicious users. This can be said to be both bad news and good news. It is bad news because attacks can lead to limited availability of services, private data leaks and, worse, control of the computer into the hands of these malicious users. It's good news because you can get some real protection to reduce the risk of these attacks. We will describe the types of attacks that have occurred and how you can protect your efforts in the areas of deployment, design, and development. The first column in this topic will focus on the issues that should be considered during deployment, and the next column will cover design and development issues that need to be noticed when developing XML Web services. type of attack
To find out where the risk is and how to avoid it, the first step should be to understand the type of attack that the service might suffer. Once you understand the types of problems you may encounter, you can take appropriate steps to mitigate the risks associated with these problems.
Attacks can usually be grouped into three broad categories:

• Deceive
• Exploit errors
• Denial of Service

Deceive

On a system that requires authentication, one of the most common hacker attacks is to work out a user's authentication certificate, log in to that user, and then access the user's information. This is bad, but the risk is greater if the compromised certificate belongs to a system administrator or someone else with higher privileges. Because, in this case, the attack may not be limited to disclosing the data of a single user, but also the possibility of leaking all user data.
Hackers may use several methods to determine a user's password. For example, try words that make sense to the user, such as the user's name, his or her pet's name, or his or her birthday. More persistent hackers will even try every word in the dictionary (dictionary attack). Other ways to obtain certificate information include: Capturing network packets and reading the information in the sent data; by DNS spoofing, inserting a malicious computer as an intermediary between the client and the server; pretending to be a system administrator, requiring the user to give his or her certificate on the basis of troubleshooting; or to record a logon handshake with the server , and then repeat the process to try to authenticate.
You can mitigate most of the risks posed by spoofing by taking measures such as enforcing a stronger password and using secure authentication mechanisms.

Exploit errors

One of the key factors determining system vulnerabilities is the quality of code running on that system. System errors are not limited to causing a particular thread to appear unexpectedly. Hackers can exploit these vulnerabilities to execute their own code on the system, access resources with higher privileges, or exploit resource vulnerabilities (caused by errors) that could potentially cause the system to slow down or become unavailable. One of the best-known examples of this attack is the Red Code worm, which exploits the error in the Index Server ISAPI extension, executes the code it chooses on the infected system, and then continues to look for other vulnerable computers.
Another common attack is the error of using the validity assumptions of the input data. For example, an XML Web Service expects a user name to enter as a parameter. If you assume that a user name contains only an ASCII string, and therefore puts it directly into your SQL query, you may have a serious weakness in your service. For example, suppose you have a SQL query in your code, as follows:

SQLQuery = "SELECT * from Users WHERE (username= '" & Usernameinput & ")

If the Usernameinput parameter contains exactly the contents shown below

Bob ') or not (username= ' 0

Then your service may return all records, not just a specific user's record.

Denial of Service

The purpose of a denial of service attack is not to break into a site, or to change its data, but to make the site unable to serve legitimate requests. The Red code worm not only infects computers, it then looks for and infects other computers, and it sends a large number of packets to the official White House Web site by infected computers. Because thousands of of computers are infected, the number of requests to the White House Web site is extremely high. Because the red Code worm causes requests from a large number of computers, it is considered a "distributed denial of service attack". With so many computers involved, this attack is extremely difficult to limit.
A denial of service request can take many forms, because pseudo requests can be sent over multiple levels to attack your system. For example, your site might allow users to PING your IP address so that ICMP messages are sent to your server and then returned. This is an effective way to troubleshoot connection failures. However, if hundreds of computers send thousands of packets to your server at the same time, you will find that your computer is busy processing PING requests and cannot get CPU time to handle other normal requests.
A slightly higher level is the SYN attack, which requires the writing of a low-level network program that looks like the first packet (SYN packet) in the TCP connection handshake. This attack is more damaging than a ping request attack because you can ignore it if necessary for a ping request, but for a SYN attack, whenever an application listens on a TCP port (such as a WEB server), you will need to spend resources whenever you receive a seemingly valid connection request.
The highest level of denial of service attacks can render a form of sending multiple, essentially valid SOAP requests to the XML Web service, which causes the database to begin the lookup operation. The database lookup may take a long time. Therefore, if thousands of such requests are sent to the server every second, the WEB server and back-end database server that receives the request becomes very busy. Also, this will make your service unable to process other requests in a timely manner.
If you have code that contains errors on your computer, it is easier to deny a service attack. For example, if a Web service is put into use, there is an error: when a particular type of error occurs, a message box is displayed that the hacker can use to send a relatively small number of requests to your computer so that the message box is displayed. This locks all thread processing requests and therefore effectively prevents others from accessing your service. Deployment Issues
So far, we've covered several different types of attacks, so what can we do about these hateful attacks? There is good news that you can take a number of ways to protect your services, and that these protections are mostly simple. Let's first take a look at the types of protection that you can implement simply by controlling the configuration methods of the WEB server and back-end servers.
Many important safeguards should be taken to ensure that your WEB server is not compromised by attacks, including some well-known measures, such as ensuring that you have the latest security updates. The most important steps in self-protection measures are listed below. Many of these steps are not specifically targeted at managed Web services, but are applicable to all Web server managed content.

Installing security Updates

First, make sure you have the latest updates to avoid attacks by the red Code worm. You can find a description of the installation update and a link to the download patch in installing the patch that stops the Code Red worm (English).
Repairs to the Red Code worm and other fixes are eventually included in Microsoft®windows®2000 's next service pack and are resolved in MICROSOFT®WINDOWS®XP.
The bigger question, of course, is how to avoid other potential weaknesses and protect yourself from future problems that may arise. For information about Microsoft product security issues, you can subscribe to the Microsoft Security Notification list. For any new issues that arise, subscribers will be notified by e-mail. For instructions on how to subscribe, see the Product Security Notification Web page.

Restricting visitors to a WEB server

If you are concerned about an attack, especially if your XML Web service contains private information, you should limit the legitimate user's access to your site. This can be accomplished in a number of ways, but the following are several ways to prevent hackers from accessing your XML Web service.

1. Authenticate users by using HTTP authentication, and then qualify which resources they can access. How to configure authentication: Right-click the Web site, virtual directory, or individual file in Internet Services Manager, select Properties from the pop-up menu, go to the Directory Security tab, and click the Edit button under Anonymous access and authentication control.
2. Qualify the IP address that can access your WEB server. If you have some legitimate users who can use your site, you can only allow those users to access your Web site at a specific IP address. You can also qualify certain IP address ranges with access rights or deny access to an IP address or range of IP addresses. You can even qualify a domain name, but it may take a long time to find a domain name on an IP address that is connected to your computer. To modify the IP address restrictions: Go to the Directory Security tab mentioned in step 1, and click the Edit button under IP address and domain name restrictions. Figure 1 shows the IP address and Domain Name Restrictions dialog box, which restricts access to three specific IP addresses.

Figure 1: Setting the Web site's IP address restrictions

1. Requires a Secure Sockets Layer (SSL) connection with the client certificate. This may be the safest way to authenticate users who are accessing your site. The SSL restrictions are also set under secure communications on the Directory Security tab.

Configure the router to allow only access that meets the requirements

The router is your firewall. It can block a large number of illegal requests sent to your computer. Most popular routers can restrict access to specific TCP ports, so you can only allow incoming requests from port 80 (the default HTTP port). This prevents anyone outside the firewall from attempting to connect to any other service on your computer. Be careful when you open ports for other services. You can easily open a port from a Terminal Services client to connect to your WEB server for remote administration. But then, anyone can try to connect to your computer through a Terminal Server connection. Even if a hacker doesn't know a valid username and password, you can still run out of resources on your computer by creating multiple sessions that display only the login screen at the same time.
Routers are also an important tool to use when filtering out illegal packets that might run out of your computer's resources. For a clearly problematic packet, simply discard it (most routers will automatically perform this function). However, many routers now have the ability to detect, for example, TCP SYN packets, which lie that they are sent from an IP address, but this is not the case. By enabling this protection, you can avoid the SYN attacks mentioned earlier in denial of service attacks.
Also, keep in mind that firewall restrictions only affect traffic at the firewall. This seems obvious, but suppose you purchased a T1 line from your Internet service provider (ISP) and placed a router with a secure configuration on the end of your T1 line. If the ISP is unable to enable illegal SYN request detection on their routers, then their routers may be subject to a SYN attack, potentially denying services on the other end of your T1 line, and the end result is effectively cutting access to your site.
Consider a more complex environment where multiple routers are placed at both ends of a particular connection, and because each router is vulnerable to attack, it may affect the service of legitimate users of your site. To list the routers that the packets will pass to your server, use TRACERT. EXE utility.

Configure TCP/IP filtering to limit the ports that accept connections

If you do not have a router as a firewall, or if you cannot manage your own router for any reason, you can effectively make your own computer a firewall by restricting the type of incoming connections that your computer will receive. In Windows 2000, click the Start button, select Settings, select Network and dial-up connections, right-click the network card that is connected to the Internet, and then select Properties. Select Internet Protocol (TCP/IP), click the Properties button, click the Advanced button, and go to the Options tab. Select TCP/IP filtering, and then click the Properties button. A dialog box appears as shown in Figure 2. You can restrict the ports in the dialog box that will accept the connection. In the example shown in Figure 2, the limit is allowed for HTTP and HTTPS connections only on ports 80 and 443.

Figure 2: Configuring TCP/IP Filtering

Remove unnecessary services and software

The more software you run on your computer, the more likely you are to be attacked, especially when you are running a service as a user with a higher privilege. If your computer is running Web services specifically and the Web service is independent of other services, you should disable some other services on your computer, including the FTP service, the SMTP service, and Windows services such as Terminal Services clients.
You should also limit the number of software that can be run or accessed over the Internet information Server. Make sure that only the virtual sites and directories you need are configured. First, you should remove the administration Web site. Second, you should also delete the IISSamples virtual directory. Similarly, if your computer is running a WEB service specifically, you should delete any other virtual directories.
Even for virtual directories that already have some software installed, it's important to figure out which software is available for access to your Web site. In Internet Services Manager, right-clicking a site or virtual directory, selecting Properties from the menu that appears, selecting the Virtual Directory tab, and then clicking the Configure button will appear with the Application Mappings tab, which lists the different ISAPI extensions or CGI All extensions associated with the application. If you are not using these extensions, remove them from the list ... The IDQ file has an error in the Index Server extension itself, and the red code worm exploits this error. If you are making this change at the virtual site level, you do not need to do this for each virtual directory that you create.

Using the Microsoft Internet information Server Security Checklist

Microsoft has created a security checklist for Internet information Server 4.0, which mentions additional security issues, in addition to all the security issues I have mentioned in this article. Use this checklist to ensure that you have at least considered all the security options. Although you may not be running Internet Information Server 4.0 (version 5.0 is a release with Windows 20,001), most of the steps in this article still apply, and for future Internet information serv Er version, also still applicable. You can find this checklist from the Microsoft Internet information Server 4.0 Security Checklist (English). Summary
Depending on your computer and network configuration, there are a variety of protection measures that you should take to protect your WEB server from hackers. In the next column, we'll examine the issues that developers and designers need to be aware of when creating their XML Web service, and continue to explore ways to protect your XML Web service from hacker attacks.


At Your Service
Matt Powellis a member of the MSDN architectural Samples team, who helped develop the latest SOAP Toolkit 1.0. Matt's other achievements include co-author of the book "Running Microsoft Internet Information Server" published by Microsoft Press and a large number of articles for various magazines. He has a happy family, is his daily attachment to the place.