Description:
This is the video of the presentation titled "
Cracking the Foundation: Attacking WCF Web Services" given by Brian Holyfield at
SOURCE Boston 2010.
Abstract: Hacking a web service generally isn't rocket science. But what if the web service requires messages to be sent using a binary protocol? What if it requires message level encryption but you don't have a key? These are just a few common scenarios you are likely to encounter when trying to attack a web service built with Windows Communication Foundation (WCF). Through a series of live demonstrations, the presentation will show how to identify and attack WCF web services and discuss useful tools and tips to make testing WCF services easier. Attendees will leave with the knowledge necessary to effectively conduct penetration testing against WCF applications.
The following live demonstrations will be conducted (time permitting):
- Burp Plug-in for WCF Binary Soap Messages (MC-NBFS)
- De-compilation of Silverlight XAP for obtaining WCF Meta Data
- Crafting Meta Data Exchange (MEX) Requests for Retrieving WCF Meta Data
- Communicating with WCF using WS-S Anonymous Message Encryption
- Writing a Custom WCF Test Client (in less than 10 lines of code)
- TCP Port Probing through WCF Duplex Callback Channels
Presentation Outline:
1. WCF Overview
2. Silverlight WCF Web Services
2a. MC-NBFS Protocol
2b. Obtaining Meta Data from WCF
2c. Analyzing Silverlight XAP
3. Secure WCF Binding
3a. WS-S Message Encryption
3b. Custom WCF Clients
4. WCF Duplex Services
4a. Attacking Callback Channels
Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the information security industry for over 10 years, and specializes in software security. Brian is a frequent speaker at security conferences and a regular contributor on the GDS Security Blog.
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments:
Where is the video?