Vous êtes sur la page 1sur 45

Initiation la scurit des Web Services (SOAP vs REST)

Sylvain MARET Principal Consultant / MARET Consulting OpenID Switzerland & OWASP Switzerland
Application Security Forum - 2012
Western Switzerland
7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch

08.11.2012, Version 1.1 @smaret

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

Bio
18 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret

Chosen field
AppSec & Digital Identity Security

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

Web Service: la base.

Web Service ?

Consumer

XML, JSON, etc.

Provider

Un peu dhistoire
1990 : DCE/RPC Distributed Computing Environment 1992 : CORBA Common Object Request Broker Architecture 1990-1993 : Microsofts DCOM -- Distributed Component Object Model 1995: RMI Monde Java

Pour arriver une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
SOAP REST Etc.

Web Service

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

SOAP vs REST ?

10

SOAP: Les ingrdients

11

SOAP: Dmystification des technologies


Langages
XML WSDL : Descripteur du service UDDI: Annuaire des services

Protocoles
Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP) Message: Enveloppe SOAP

Scurit
WS-Security (Signature & Chiffrement)

Autres lments
AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.

12

Enveloppe SOAP
- SOAP : Simple Object Access Protocol - Permet lenvoi de messages XML - Agnostique au moyen de transport - HTTP - HTTPS - FTP - etc.

Source= wikipdia

13

SOAP request

SOAP response

14

UDDI
Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fond sur XML et plus particulirement destin aux services Web.

15

WSDL
WSDL est une grammaire XML permettant de dcrire un Service Web. Le WSDL sert dcrire :
le format de messages requis pour communiquer avec ce service les mthodes que le client peut invoquer la localisation du service le protocole de communication (SOAP RPC ou SOAP orient message)
http://fr.wikipedia.org/wiki/Web_Services_Description_Language

16

WSDL

http://predic8.com/wsdl-reading.htm

17

WSDL: exemple

18

SOAP: Dmystification des protocoles


Dcouverte UDDI

Description

WSDL

Message

SOAP / XML HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)

Protocole

Transport

IP

19

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

20

REST: Les ingrdients

21

REST: Dmystification des technologies


Langages
XML JSON XHTML, HTML, PDF... as data formats

Protocoles
HTTP(s) Utilisation dune URL Mthode de communication (GET, POST, PUT, DELETE)

Scurit
Scurit du transport (SSL/TLS) Scurit des messages: HMAC & Doseta (Like XML Signature)

Autres lments
Oauth, API Keys

22

Reprsentation REST (exemple JSON)

23

Mthodes REST

24

REST: Dmystification des protocoles


Dcouverte ???

Description

WADL, Swagger ***

Message

XML, JSON, etc.

Protocole

HTTP, HTTPS

Transport

TCP/IP

*** Avant-gardiste mais peux utiliser

25

26

SOAP vs REST

27

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

28

http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es

29

30

Modle STRIDE

https://www.owasp.org/index.php/Application_Threat_Modeling

31

Menaces selon le DFD Acme SA


Threat 1
Interception des messages (Information disclosure) Modification des messages (Tampering) Usurpation didentit (Spoofing)

Threat 2
Attaque de lapplication
BoF Injection DoS & DDoS Etc

32

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

33

ACME SA: Rduction des risques ?


Chiffrement du transport AuthN SSL Mutual AuthN / X509 WAF / XML Gateway Intgrit et confidentialit des messages Secure Coding

34

Chiffrement du transport
SOAP / XML HTTPS SSL/TLS tunnel SSH IPSEC Etc. HTTPS REST

35

AuthN
SOAP / XML HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc. HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys REST

36

SSL Mutual AuthN / X509 / PKI


SOAP / XML SSL/TLS Mutual AuthN** REST SSL/TLS Mutual AuthN**

** Man in the middle not possible (As I Know)

37

WAF / XML Gateway (Protection primtrique)


SOAP / XML Reverse Proxy Contrle requtes HTTP Rupture SSL/TLS Black List White List Validation WSDL Signature & Verification Encryption & Decryption SAML REST Reverse Proxy Contrle requtes HTTP Rupture SSL/TLS Black List White List

38

Intgrit et confidentialit des messages


SOAP / XML REST

XML Signature XML Encryption

(p.ex: HMAC, Doseta) JSON Signature **

** Pas de chiffrement ma connaissance

39

Code security
SOAP / XML - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures REST - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures

OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification

40

REST & OAuth

41

Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

42

Conclusion
SOAP:
Implmenter les standards WS-* lis la scurit Mettre en place un filtrage applicatif (WAF, XML GW) Complexe mettre en uvre (PKI, Secure coding, Cryptography, etc.) Architecture forte contrainte de scurit

REST
Mettre en place un filtrage applicatif (WAF, XML GW) Implmentation rapide et facile tendance Architecture de type Cloud, Intranet, Social Login, etc.

On attend avec impatience les standards scu pour REST ??? Pragmatique: protection primtrique, chiffrement et Secure Coding ???

43

Pour aller plus loin.

44

Questions?

45

Merci / Thank you!


Contact:
sma@maret-consulting.ch @smaret http://www.maret-consulting.ch Slides:
http://slideshare.net/ASF-WS/