Attacking Wcf Web Services presented at OWASP Appsec 2009

by Brian Holyfield,

Tags: Security Web Others Application Security


Summary : Let's face it, hacking a web service generally isn't rocket science. But what if the web service requires your message to be sent in binary format instead of Text or XML? What if the web service requires message level encryption but you don't have a key? These are just a few common scenarios you are likely to encounter when trying to attack a web service built on Windows Communication Foundation (WCF). Through a series of live demonstrations, the presentation will show how to identify WCF web services on the wire, the communication protocols and message formatting options supported by WCF, and how to attack WCF web services using familiar black-box vectors. WCF is the new standard communications framework for .NET web services. WCF gives developers the ability to use new protocols and message formatting options like the NET.TCP protocol, WS-Security and Message Transmission Optimization Mechanism (MTOM). These messaging options render most common web service assessment utilities useless; however given an understanding of how they work they are still susceptible to most common attacks.