We offer web security trainings for primarily two target audiences: First, developers who want to learn about web application security, Single Sign-On, TLS, XML, and web service technologies. Second, penetration testers who want to get an in-depth knowledge about web security. Our discussed topics are both known, and also usually unknown attacks, along with their countermeasures. Furthermore, we go into detail regarding solutions to automate security tests.

Web services are used by many applications and are essential for the infrastructure of the modern Internet. Among other things, they enable applications to connect to social networks and provide their own services for third parties. However, web services have become the target of serious attacks due to implementation flaws within recent years. These attacks take advantage of the complexity of the XML standards and allow attackers to read sensitive data from external servers, or to decrypt confidential data.

In this training, web service technologies will be introduced and numerous attack techniques used to attack SOAP-based web services will be presented using examples. Afterward, the participants will have the opportunity to execute various attacks themselves in a virtual machine prepared by us. First, the attacks are executed manually (for example, using SoapUI) in order to get a feeling for the underlying vulnerabilities. We will then introduce our penetration testing tool WS-Attacker, which can be used to automatically test many of these attacks. The virtual machine is usable offline and can be used by participants for further internal education after the course has ended.

Due to the importance of integrating web services into your enterprise ecosystem, it is essential to understand and address the problems of these technologies. The training will address the following questions, among others:

  • How do I use an XML parser correctly?
  • How do I check an XML document‘s signature correctly?
  • Which risks need to be considered when using WS-* extensions?
  • Is encrypting my messages with TLS sufficient?
  • How can I protect my systems against attackers?

Training Contents:

  • XML and SOAP-based Web Services
  • XML Schema and WS-Policy
  • WS-Addressing and WS-Addressing Spoofing
  • XML Parsing (DOM vs. SAX)
  • XML-specific Denial-of-Service Attacks
  • XML Security and WS-Security
    • Differences to SSL/TLS
  • XML Signature
    • ID- and XPath-based XML Signatures
  • XML Signature Wrapping Attacks
  • XML Encryption
    • Attacks on Symmetric Encryption
    • Attacks on Asymmetric Encryption
  • Penetration Testing with WS-Attacker
  • Outlook: SAML-based Single Sign-On
  • REST-based Web Services
    • Attacks and Best Practices

Requirements: This training is designed for primarily two target audiences:

  1. Developers who use XML and web services in practice.
  2. Penetration testers and security researchers who want to learn how to evaluate the security of those systems are addressed.

Example: 15 Slides
Flyer: Web Service Security

Contact: Dr. Juraj Somorovsky