Database Reference
In-Depth Information
<soapenv:Body>
<pci:getCreditCard
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/
encoding/">
<id xsi:type="xsd:string">1 or
1=1</id>
</pci:getCreditCard>
</soapenv:Body>
Yes, the same old 1 or 1=1 , exactly as in old HTML/ASP times. The pci namespace
is pointing to the webgoat.owasp.org test application, which is open to such a direct
approach. You might think that your application is far better protected than OWASP We-
bGoat application (which is in fact deliberately unsecured). We hope so, but let's not jump
to conclusions right away. All we know (from the preceding code) is that the XML SOAP
message can be used for the SQL injection directly. There are three classes of SQL injec-
tions: Inband, Out-of-band, and Inferential. The difference is how you get the response (if
you ever get it). If you see the response immediately, that's Inband, and in the SOA world,
it's the most common. What if you shut down the error handler, block all responses and re-
turn nothing, and redirect everything back to a 404 page? Can you be safe? Sorry fellow
architect, the answer is no. Jumping ahead, we can say that an Inferential or Blind SQL in-
jection technique is the hardest one, but it can still do the trick. The following is a simpli-
fied modification of the previous code example:
<id xsi:type="xsd:string">id=1; if not(select
system_user)<>'sa' waitfor delay '0:0:10' </id>
So, what we are actually asking is what privileges your service account has on the under-
lying resources. If it's a MS SQL system admin, please return your "unbreakable" 404
page after 10 seconds. One way or another, we will get the answer, but it will take just a
little longer.
All these attacks are so common and effective that they have a lots of tools to support
most of the attack types. Firstly, to find the victim (entity service, potentially with DB),
public Seekda Web Service search engine or WSindex can be used. For official UDDI
crawling of public services, http://www.soapclient.com/uddisearch.html is useful.
To probe and test the targeted service, SoapUI is amazingly good (you can try it together
with WebGoat first). However, if someone wants command-line tools to fire constructed
SOAP messages with injections, then SOAPClient4XG (Java), CURL, and SOAP::Lite
Search WWH ::




Custom Search