Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Tuesday, June 24 • 09:00 - 13:00
Training room 6 - Security of XML-based Web Services and Single Sign-On

Sign up or log in to save this to your schedule and see who's attending!

Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed. 

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:

• XML and SOAP-based Web Services



  • XML Schema and WS-Policy



  • WS-Addressing und WS-Addressing Spoofing



  • XML Parsing (DOM vs SAX)



  • XML-specific Denial-of-Service Attacks



  • XML Security and WS-Security

    ◦ Why not SSL/TLS?



  • XML Signature

    ◦ ID-based and XPath-based XML Signatures

    ◦ XMLSignatureWrappingAttacks



  • XML Encryption

    ◦ Attacks on symmetric encryption

    ◦ Attacks on asymmetric encryption



  • WS-Attacker



  • SAML-based Single-Sign On

    ◦ Attacks 




Requirements



  • A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported. 



Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB028

Attendees (7)