Hacking exposed mobile

Page 179

150

Hacking Exposed: Mobile Security Secrets & Solutions

2. Craft legitimate web service requests for all the endpoints and operations identified. Either base these requests on observed requests via network traffic analysis or build these requests manually by analyzing the Web Services Description Language (WSDL) files associated with the web services. SoapUI is a useful tool for this process because it can build a set of base test cases given a URL to an identified WSDL. 3. Now comes the fun part, vulnerability discovery. Alter the structure or contents of the XML documents sent to the web service endpoints to violate confidentially, integrity, or availability of the target system, and observe the response for any anomalies.

XML Injection Web services that fail to perform input validation or output encoding on user input employed to construct XML responses are vulnerable to XML injection attacks. The injection of unintended XML structures by an attacker can alter an application’s business logic. Exploitation is, therefore, highly application specific. Consider a scenario in which a mobile application interacts with a web application displayed within a WebView component in order to purchase widgets. On the back-end, the web application queries a set of XML-based web services to retrieve product information, process payments, and finalize orders. When a user adds a product to his or her cart, the web application sends the following XML document to a web service: <?xml version="1.0"?> <ProductRequest> <Id>584654</Id> </ProductRequest>

The web service responds by providing the product’s price so the web application can now update the cart total properly to $199.99 plus tax, but the web service also reflects part of the user input (the product identifier) verbatim: <?xml version="1.0"?> <ProductResponse> <Id>584654</Id> <Price>199.99</Price> </ProductResponse>

In this example, we assume that neither the web application nor the web service performs input validation or output encoding on the product identifier value provided by the user and that the web service simply casts the user input into a numeric data type to find the relevant product order, but reflects the user input verbatim. So let’s consider the outcome when a malicious user provides the following: 584654</Id><Price>0.99</Price></ProductResponse><ProductResponse><Id>123

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.