WCF and Information Disclosure Threats
Anil John writes about Information Disclosure Threats and Web Services. In his article he delves into the details of how potential attackers use to prepare their attacks and how some common web service practices ‘support’ these threats.
Anil speaks of “pre-operational surveillance”, which is classified as “Information Disclosure Threats” in the IT world. He examines two possible threats in detail:
- SOAP Fault Error Messages
- WSDL Scanning/Foot-Printing/Enumeration
On SOAP Fault Error Messages he says that
… the favorite tactic of attackers is to try to deliberately cause an exception or fault in a web service in the hope that sensitive information such as connection strings, stack traces and other information may end up in the SOAP fault.
Anil provides two countermeasures, first he refers to “the 'Exception Shielding Pattern' as noted in the Patterns & Practices Book 'Web Service Security' [Free PDF Version]” and in the ‘WCF Security Guide’ [Free PDF Version]. He points out that alternatively you can “use a hardware device like a XML Security Gateway”, and says that he has “direct experience with Layer 7 as well as Cisco/Reactivity Gateways and happen to know that they support this functionality”.
Steve Loughran, formerly of the Apache Axis team, comments that
Apache Axis defaults to not sending full stack traces over the wire […]. You don't need to by extra XML security hardware just to lock down the basics of an endpoint.
He also refers to the Axis security guide.
Regarding the second threat, Metadata publishing, Anil states:
The type of information found in a WSDL, and which can be obtained simply by appending a ?WSDL to the end of a service endpoint URL, can be an extremely useful source of info for an attacker seeking to exploit a weakness in a service, and as such should not be provided or simply turned off.
If metadata publishing is turned off, how do clients know how to address/invoke web services? According to Anil a possible solution is to incorporate an “Enterprise Registry/Repository that has the appropriate Access Control Mechanisms on it” and refrain from “automatic generation of WSDL” by “following a contract-first approach”.
- enforcing SSL,
- exposing a Metadata Exchange (MEX) endpoint by developing a custom binding that implements IMetadataExchange and incorporates the full WCF security feature set (the standard mex* bindings don’t support security), or
- allowing consumers “to retrieve metadata from a WCF service […] via WMI”.
Roy Rapoport Aug 28, 2014