Attacking Web Services: The Next Generation of Vulnerable Apps

Presented at DEF CON 13 (2005), July 30, 2005, 11 a.m. (110 minutes).

Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack.  In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications. The speakers will also demonstrate some of the first publicly available tools for finding and penetrating web service enabled systems.

Presenters:

  • Alex Stamos - Founding Partner, Information Security Partners
    Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization, with several years experience in security and information technology.  Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught many classes in network and application security. Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake.  Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake's West Coast trainers, educating select technical audiences in advanced network and application attacks. Before @stake, Alex had operational security responsibility over 50 Fortune-500 web applications. He has also worked at a DoE National Laboratory.He holds a BSEE from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.
  • Scott Stender
    Scott Stender is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft, where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications.  In this role, Scott drew on his technical expertise in platform internals, server infrastructure, and application security, combined with his understanding of effective software development processes to concurrently improve the reliability, performance, and security of a product running on millions of computers worldwide. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies.  Most recently, Scott was published in the January-February 2005 issue of IEEE Security & Privacy, where he co-authored a paper entitled "Software Penetration Testing". He holds a BS in Computer Engineering from the University of Notre Dame.

Links:

Similar Presentations: