The company Hackmanit was founded by employees of the Ruhr University Bochum, working at the Horst Görtz Institute for IT Security. Hackmanit has in-depth knowledge about the security of Web applications (e.g., Cross-Site Scripting, UI-Redressing and Clickjacking), Web services, Single Sign-On, SSL/TLS and applied cryptography. The company mainly focuses on providing services such as practical training courses, high-quality penetration tests, and customized threat analysis.

Web services are used by many applications and are essential for the infrastructure of the modern Internet. Among other things, they enable applications to connect to social networks and provide their own services for third parties. However, web services have become the target of serious attacks due to implementation flaws within recent years. These attacks take advantage of the complexity of the XML standards and allow attackers to read sensitive data from external servers, or to decrypt confidential data.

In this training, web service technologies will be introduced and numerous attack techniques used to attack SOAP-based web services will be presented using examples. Afterward, the participants will have the opportunity to execute various attacks themselves in a virtual machine prepared by us. First, the attacks are executed manually (for example, using SoapUI) in order to get a feeling for the underlying vulnerabilities. We will then introduce our penetration testing tool WS-Attacker, which can be used to automatically test many of these attacks. The virtual machine is usable offline and can be used by participants for further internal education after the course has ended.

Due to the importance of integrating web services into your enterprise ecosystem, it is essential to understand and address the problems of these technologies. The training will address the following questions, among others:

  • How do I use an XML parser correctly?
  • How do I check an XML document‘s signature correctly?
  • Which risks need to be considered when using WS-* extensions?
  • Is encrypting my messages with TLS sufficient?
  • How can I protect my systems against attackers?

Training Contents:

  • XML and SOAP-based Web Services
  • XML Schema and WS-Policy
  • WS-Addressing and WS-Addressing Spoofing
  • XML Parsing (DOM vs. SAX)
  • XML-specific Denial-of-Service Attacks
  • XML Security and WS-Security
    • Differences to SSL/TLS
  • XML Signature
    • ID- and XPath-based XML Signatures
  • XML Signature Wrapping Attacks
  • XML Encryption
    • Attacks on Symmetric Encryption
    • Attacks on Asymmetric Encryption
  • Penetration Testing with WS-Attacker
  • Outlook: SAML-based Single Sign-On
  • REST-based Web Services
    • Attacks and Best Practices

Requirements: This training is designed for primarily two target audiences:

  1. Developers who use XML and web services in practice.
  2. Penetration testers and security researchers who want to learn how to evaluate the security of those systems are addressed.

Example: 15 Slides
Flyer: Web Service Security

Prof. Dr. Juraj Somorovsky

Your Contact for This Training

Prof. Dr. Juraj Somorovsky
juraj.somorovsky@hackmanit.de
+49 (0)234 / 54452661