Black Hat Briefings, Las Vegas 2005 [audio] Presentations From The Security Conference

Alex Stamos and Scott Stender: Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps



Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc) can be retooled to work with the next-generation of enterprise applications. The speakers will also demonstrate some of the first publicly available tools for finding and penetrating web service enabled systems. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital sec