To date most commercial web services are employed in B2B or backend scenarios. Therefore these web service are only known to people / employees working in the field the web service is used. The general public and therefore a vast amount of potential attackers are unaware of these web services. However due to their field of employment, these "hidden" web services usually perform very critical operations, such as payment or ordering processes between businesses, making them very interesting to attackers.
Unfortunately, for some of these critical web services the only form of protection is being hidden from the general public, exchanging critical information without or very few protection.
WSDL Disclosure attacks aim at discovering non-public web services by retrieving their WSDL file.
Their are 2 attack subtypes that aim at disclosing the metadata files of non public web services.
- WSDL Google Hacking
The WSDL Google Hacking attack makes use of the google search function. By searching for files with the ending ".wsdl" millions of wsdl files get listed. By refining the search, including the url of the company desired by the attacker, one can easily find wsdl files that are usually not published on the website of the attacked website.
- WSDL Enumeration
When executing the WSDL Enumeration attack, it is assumed that the attacker already gained access to one WSDL file of the desired web service provider. That means the attacker has knowledge of the web service endpoint and other critical information of how to reach the web service server.
Then the attacker tries to gain knowledge about "new" non-public web service methods by trying various common method names. By evaluating the response, the attacker can see whether or not the method exits. Once a hidden method is found, the attacker can identify all required parameters by further analysing the error response.
This attack is also known as WSDL Scanning
Prerequisites for attack
Once the attacker got accessed to the WSDL file, the only prerequisite that is left is:
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company.
Graphical representation of attack
The attack doesn't aim at any special web service component. It aims at disclosing the metadata of the web service. Depending on the discovered web service various attacks are possible. Therefore no specific component is marked only the web service in general.
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Attack examples are not available.
However just to give a feel for the WSDL Google Hacking attack, one should google the term ".wsdl" to see how many WSDL files come up. Probably many of them were never intended to show up in a public google search.
When executing the WSDL Enumeration attack it is just a question of persistence and "trial and error" before the attacker finds a "new" web service method.
Attack mitigation / countermeasures
The web service security should never rely on the secrecy of the WSDL file. Other actions, such as integrity, confidentiality and access control features, should be used to secure the web service. If these features are used correctly, the disclosure of the WSDL file poses no problem at all.
This concept can be compared to cryptographic algorithms in general. The quality of a good cryptographic algorithm never relies on the secrecy of the algorithm itself. It solely relies on the mathematical functions embedded within, while the algorithm itself is completely open to everyone.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Nishchal Bhalla and Sahba Kazerooni.Web services vulnerabilities. http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, February 2007. Accessed 01 July 2010.
- Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
- Meiko Jensen. Attacking webservices. http://www.nds.rub.de/media/nds/downloads/ws0910/AttackingWebServices.pdf, 2010. Accessed 01 July 2010.