Diploma Thesis - Mirko Richter - Facts

Content

General
Most important factors for Security
What endangers security?
Who attacks?
Denial of Service
Defective Parameters
Dictionary Attack
SQL Attack
Directory traversal Attack
URL string Attack

General

Most important factors for Security

Article found	Fact
Sicherheit [Eckert]	Ergebnisse einer Studie/Umfrage in 2002, 483 KMUs (Frauenhofer Institut für sichere Telekooperation) 88% - Sicherung des Netzwerkes 84% - Sicherheitsbewusstsein 82% - Zugriffsüberwachung 70% - Überwachung der Richtlinien 48% - Sicherheit ist Chefsache 48% - Sicherheitsbeauftragter 47% - Verschlüsselungsstrategie 39% - Browser-Konfiguration 36% - Finanzielle Ressourcen

What endangers security?

Article found	Fact
Sicherheit [Eckert]	Ergebnisse einer Studie/Umfrage in 2002, 483 KMUs (Frauenhofer Institut für sichere Telekooperation) 57% - Computer Viren 57% - Datenverlust 57% - Trojanische Pferde 48% - Unberechtigter Zugang 48% - Datendiebstahl 47% - Verlust der Systemintegrität 43% - Manipulation von Systemen 42% - Manipulation von Software 42% - Betrug 34% - Denial od Service-Attacken 23% - Verbreitung illegaler Inhalte

Article found

Fact

Sicherheit [Eckert]

Ergebnisse einer Studie/Umfrage in 2002, 483 KMUs (Frauenhofer Institut für sichere Telekooperation)

57% - Computer Viren
57% - Datenverlust
57% - Trojanische Pferde
48% - Unberechtigter Zugang
48% - Datendiebstahl
47% - Verlust der Systemintegrität
43% - Manipulation von Systemen
42% - Manipulation von Software
42% - Betrug
34% - Denial od Service-Attacken
23% - Verbreitung illegaler Inhalte

Who attacks?

Article found	Fact
Sicherheit [Eckert]	über 50% aller Angriffe durch Mitarbeiter sehr häufig: durch Nachlässigkeit, Unwissenheit der Benutzerund der Administratoren Hacker: versierter Spezialist Ziel: Lücken auffinden, warnen, selten Missbrauchsabsicht Cracker: versierter Spezialist i.d.R. mit Missbrauchsabsicht Ziel: Angriffe auf schlecht geschützte kleine Unternehmen,veraltete Systeme, Regierungsstellen Skript Kiddie: nutzt fertigte Exploits, wenige Kenntnisse, viel Zeitgroße Gefahr! Sehr großes Potential an Angreifern!

Article found

Fact

Sicherheit [Eckert]

über 50% aller Angriffe durch Mitarbeiter
sehr häufig: durch Nachlässigkeit, Unwissenheit der Benutzerund der Administratoren
Hacker: versierter Spezialist

Ziel: Lücken auffinden, warnen, selten Missbrauchsabsicht
Cracker: versierter Spezialist i.d.R. mit Missbrauchsabsicht

Ziel: Angriffe auf schlecht geschützte kleine Unternehmen,veraltete Systeme, Regierungsstellen
Skript Kiddie: nutzt fertigte Exploits, wenige Kenntnisse, viel Zeitgroße Gefahr! Sehr großes Potential an Angreifern!

Denial of Service

Article found	Fact
XML / SOAP Web Services Security [Mü02]	Abhängig von der Art des Web Services Daten sammeln XML-Nachrichten auswerten Mustererkennung

Defective Parameters

Article found Fact

Article found	Fact
XML / SOAP Web Services Security [Mü02]	ältere Systeme rechnen eventuell nicht mit falsch formatierten Eingaben Parameter angeben, die die Maximallänge überschreiten Wildcards oder Escape-Zeichen einbauen Werte und Attribute mittels XML Schemas prüfen
Web Service Security [On02]	Web Services present a new avenue of attack into the enterprise. Even so, some of the tactics are familiar: feeding unexpected data to an application in order to confuse it, or disable it. packet. Web Services present details of their interface in WSDL files, which effectively say, "Here are the details of the data that I expect." This invites a hacker to send it inappropriate data in order to see what happens. A WSDL file may contain the following line: `<xsd:element name="tickerSymbol" type="string"/>` This indicates that one of the parameters expected by the Web Service is a string, called "tickerSymbol." The options for a speculative attack on this Web Service would include sending it a number instead of a string, or sending it a very large string designed to overload the Web Service. It is important, therefore, that "sanity checks" are performed on incoming data directed to Web Services. This may take the form of checking SOAP parameters against an XML Schema. However, XML Schema validation is processor-intensive. In addition, certain portions of a SOAP message may be volatile, meaning that they change while in transit between the SOAP requester and the Web Service. Volatile portions of a SOAP message include the header, which may contain routing information that changes as the message is routed. Therefore, it is more appropriate to use XPath to narrow down the data validation to nonvolatile portions of the SOAP message.

XML / SOAP Web Services Security [Mü02]

ältere Systeme rechnen eventuell nicht mit falsch formatierten Eingaben
Parameter angeben, die die Maximallänge überschreiten
Wildcards oder Escape-Zeichen einbauen
Werte und Attribute mittels XML Schemas prüfen

Web Service Security [On02]

Web Services present a new avenue of attack into the enterprise. Even so, some of the tactics are familiar: feeding unexpected data to an application in order to confuse it, or disable it.

packet. Web Services present details of their interface in WSDL files, which effectively say, "Here are the details of the data that I expect." This invites a hacker to send it inappropriate data in order to see what happens. A WSDL file may contain the following line:

<xsd:element name="tickerSymbol" type="string"/>

This indicates that one of the parameters expected by the Web Service is a string, called "tickerSymbol." The options for a speculative attack on this Web Service would include sending it a number instead of a string, or sending it a very large string designed to overload the Web Service. It is important, therefore, that "sanity checks" are performed on incoming data directed to Web Services. This may take the form of checking SOAP parameters against an XML Schema. However, XML Schema validation is processor-intensive. In addition, certain portions of a SOAP message may be volatile, meaning that they change while in transit between the SOAP requester and the Web Service. Volatile portions of a SOAP message include the header, which may contain routing information that changes as the message is routed. Therefore, it is more appropriate to use XPath to narrow down the data validation to nonvolatile portions of the SOAP message.

Dictionary Attack

Article found	Fact
XML / SOAP Web Services Security [Mü02]	Verwendung von starken Passwörtern häufiges Wechseln

SQL Attack

Article found	Fact
Web Service Security [On02]	Inserting SQL statements into Web forms in order to force a database to return inappropriate data, or to produce an error that reveals database access information. For Web Services, this category of attack translates to manipulating data in a SOAP message to include SQL statements that will be interpreted by a back-end database.

Directory traversal Attack

Article found	Fact
Web Service Security [On02]	Attempts to bypass hyperlinks by attempting to directly access resources. For example: If a URL is http://www.example.com/documents/sales.htm, what happens if http://www.example.com/documents/ is requested? Does a directory called /test/ exist? For Web Services, this category of attack translates to attempting to detect other SOAP services which are not explicitly offered.

URL string Attack

Article found	Fact
Web Service Security [On02]	Manipulating CGI name/value pairs in the URL string; for example, changing "maxResults=10" to "maxResults=1000" to return more information from a database. For Web Services, this translates to circumventing the rules on SOAP parameters (for example, if a search SOAP service takes an integer between 1 and 10 as a SOAP parameter, what if the number 1000 is submitted?).

Project Documentation

Security Vulnerability Facts