Recent Posts

Blogroll

Blog powered by TypePad

« Michael Tanji's 3 Reasons Why US Cybersecurity Sucks | Main | 9 Things Talk in Minnesota »

Vordel FTW!

I think security is about the only area of computing where the east coast has an advantage over the west coast, and if you keep going east from the eastern seaboard you wind up in Ireland, home of Web services company Vordel. I have used their tool Soapbox many times over the years and always recommend it to clients, it has many uses, and now its free!


Soapbox is essentially a tool that builds Web services clients, takes in message (e.g. XML) and the URL you are calling which is similar to Soapui and a number of other tools like curl, but Soapbox does several security-related things that make it very valuable.

First thing is that Soapbox supports a variety keystores, so you can use Openssl or your favorite tool to set up the keys, keystores and certs that you need. Then you can take a vanilla soap message

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<tns:Cities xmlns:tns="http://euro2008.dataaccess.eu" />
</soap:Body>
</soap:Envelope>



and add a signature and timestamp to it for authentication purposes

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0000012282ebfbbb-00000000002eb6e9-4"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#Id-0000012282ebfbbb-00000000002eb6e9-3"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>bAfOw4sLP/PD/Fe/5VRkrJXnZiI=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>N0VLGWgJDad52fvH7A3saVGc9rusFZlpAedEHh5HVGOnyEPAQy5+HD8OkvxTku+y
Og+M+P8ZY3OeTIZkNhoNzrVoRb1riPSr9znFRXFMImpTInOAncoEmcPtjs4XJ5vp
+e8gw5lr5gsvmcTafvUMfG+HDuyp+ZF8EFdm90bdeZ/2GIZ0WXqzL5yVQAhHlRiH
SLwcY5p5NmQvjimdMTMcPgc5ETfDAa1yKE/2hyFqn26fU6g/c5XYkp4xHULUIVP2
WZQlfkuHiGFSNCrVw68H/QTSOSl/s0lebWC3q+kCuTecQSml+hFbM4cZjvIVKUZJ
f1RUUsg1NGvtpHebx9/YQA==</dsig:SignatureValue><dsig:KeyInfo Id="Id-0000012282ebfbbb-00000000002eb6e9-5"><dsig:X509Data><dsig:X509Certificate>MIIC0TCCAbmgAwIBAgIGARqbOHiZMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDVNPQVBCb3hDb25maWcwHhcNMDgwNjE4MTAyODAwWhcNMTEwNjE4MTAyODAwWjAYMRYwFAYDVQQDEw1TT0FQQm94Q29uZmlnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLw4QAWqVmEr+CEo8Fp8WPq9Oo7BdnNOtMT5sUp0IN4NVvKmdI8ju3HsbnXzI7csNDzK6Feo19J/XLZk/Lr3Q4bLmmD+bMLFljiIgQ89+Bwc3mtyT1Rr4WBQUKnF8+8y65m2RebySelzgWIeZM72JoThSw85VBtyHvjlQnTAnfwX0NV7mH+kbQDi0c4Q4UZhKWFfb5L2tbjcknsG0k4De07qIw+RsGipkuNoFyI6BwwC0IERv48sacL30nWAOZMNDkm4S61aAYuzfMZySzPseU6BUdIdYAnITgj4tHRJZ93OYnn6LObEkYxobyGi6SULtBQQYzHKgeeyvru2Z1L7nQIDAQABoyEwHzAdBgNVHQ4EFgQUjq3/y0NF+tlUqwLc8SP4uV4/PK4wDQYJKoZIhvcNAQEFBQADggEBABAkqI4elXT/+1RfJOavOy2sAtnr1XiLp1HYtkJV4BMmoouExG+jiEg9MU18dF3302JvbGk+nVw8g/80Tlx5jpWlU6UwVmuc4RZaWjj+NkUncniaWVdcCmgIsLfeIWrK6bWfQaylpj9t8Vl7q4ocrMg7R8tPizlliIfD+hH3aUVkTgvXsb9GTPYYAfLgHQYimDyXm5w1qqWv7Id7nZfzplP1N+cBbxEMT4SQ4QS72cnShDo+fz+pcjxF81VaYe4ag9DyHrMH1PKDsxO7kEGz9fAFQRfTw50ksnNrVqefAOBCRdvL1s/Awwpt1DPk44jtvY4NZRF2NsbAyLswPyntpAY=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-0000012282ebfbbb-00000000002eb6e9-2"><wsu:Created>2009-07-16T09:36:59Z</wsu:Created></wsu:Timestamp>
  </wsse:Security>
  </soap:Header>


or perhaps you are more worried about confidentiality, taking the same vanilla soap message you can use XML encryption in Soapbox to generate

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="Id-0000012282eedda3-00000000002eb6e9-12"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0000012282eedda3-00000000002eb6e9-13"><dsig:X509Data><dsig:X509Certificate>MIIC0TCCAbmgAwIBAgIGARqbOHiZMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDVNPQVBCb3hDb25maWcwHhcNMDgwNjE4MTAyODAwWhcNMTEwNjE4MTAyODAwWjAYMRYwFAYDVQQDEw1TT0FQQm94Q29uZmlnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLw4QAWqVmEr+CEo8Fp8WPq9Oo7BdnNOtMT5sUp0IN4NVvKmdI8ju3HsbnXzI7csNDzK6Feo19J/XLZk/Lr3Q4bLmmD+bMLFljiIgQ89+Bwc3mtyT1Rr4WBQUKnF8+8y65m2RebySelzgWIeZM72JoThSw85VBtyHvjlQnTAnfwX0NV7mH+kbQDi0c4Q4UZhKWFfb5L2tbjcknsG0k4De07qIw+RsGipkuNoFyI6BwwC0IERv48sacL30nWAOZMNDkm4S61aAYuzfMZySzPseU6BUdIdYAnITgj4tHRJZ93OYnn6LObEkYxobyGi6SULtBQQYzHKgeeyvru2Z1L7nQIDAQABoyEwHzAdBgNVHQ4EFgQUjq3/y0NF+tlUqwLc8SP4uV4/PK4wDQYJKoZIhvcNAQEFBQADggEBABAkqI4elXT/+1RfJOavOy2sAtnr1XiLp1HYtkJV4BMmoouExG+jiEg9MU18dF3302JvbGk+nVw8g/80Tlx5jpWlU6UwVmuc4RZaWjj+NkUncniaWVdcCmgIsLfeIWrK6bWfQaylpj9t8Vl7q4ocrMg7R8tPizlliIfD+hH3aUVkTgvXsb9GTPYYAfLgHQYimDyXm5w1qqWv7Id7nZfzplP1N+cBbxEMT4SQ4QS72cnShDo+fz+pcjxF81VaYe4ag9DyHrMH1PKDsxO7kEGz9fAFQRfTw50ksnNrVqefAOBCRdvL1s/Awwpt1DPk44jtvY4NZRF2NsbAyLswPyntpAY=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo><enc:CipherData><enc:CipherValue>H2oySdBYPuYhoaWbVfuQzQWyZ9eMRylzGHF5LzWCSNrX90hBFjyzg3ufxUfAbRBS
pPdgCfd5edH63DFsiMnYBe4vY5010sLwvHP78M4uEZlA9tb8C2rXlvs7KJeUhhAa
XAXvexwD86UDk0ir6Gn0uhsvpbZndzVPuTSBhrB5kkaxuFyCnZZby1eZPuTOWWl3
/abt0fsGJjkB7xhkOEFDBwpU8VOBVX3NjEISiTX7MbKskNWNqI5vY7tAWqMqrB5g
kIxK8O8p+WjB4i9yQmMJiR63j3gKPXlgN0/wTtCDxe+AZwSv/jW2ORd0b+9w2Rq+
LqEZ0jcE33w5YrcmxgdsJQ==</enc:CipherValue></enc:CipherData><enc:ReferenceList><enc:DataReference URI="#Id-0000012282eedda3-00000000002eb6e9-11"/></enc:ReferenceList><enc:CarriedKeyName>Id-0000012282eedda3-00000000002eb6e9-10</enc:CarriedKeyName></enc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
<soap:Body><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="Id-0000012282eedda3-00000000002eb6e9-11" Type="http://www.w3.org/2001/04/xmlenc#Content" Encoding="UTF-8" MimeType="text/xml"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsu:Id="Id-0000012282eedda3-00000000002eb6e9-14"><wsse:Reference URI="#Id-0000012282eedda3-00000000002eb6e9-12" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/></wsse:SecurityTokenReference></dsig:KeyInfo><enc:CipherData><enc:CipherValue>7omm3jasigXF6qd0jlhivSq5wxW0hA1YORHNV386euQBeAO5gksbbBfBIKSHlYHJ
SbgU/gY28Snmh5JAPxpHSjzRfCTEjwJ5/C3j1iD0yN8=</enc:CipherValue></enc:CipherData></enc:EncryptedData></soap:Body>
</soap:Envelope>

<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-0000012282ebfbbb-00000000002eb6e9-3">
<tns:Cities xmlns:tns="http://euro2008.dataaccess.eu"/>
</soap:Body>
</soap:Envelope>


Soapbox can also be used for REST and other types of web services, if you are building or supporting web services its invaluable to have a testing tool that allows you to swap out different security mechanisms, encoding types, and data quickly and easily. It took about 2 minutes 30 seconds for me to generate the above from a standing start (including Eclipse start up time ;-P). Grab a copy of Soapbox and see what you think, I will blog more about some other features later.

July 16, 2009 in Security, SOA, Web Services |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c75869e2011571199f6b970c

Listed below are links to weblogs that reference Vordel FTW!:

Comments

ron

This is an excellent tool. Thanks for blogging about it.

Cheers.

Posted by: ron | August 07, 2009 at 09:22 PM

Bruce S

Hi -

Which tools do you recommend for web services vulnerability testing? And whatever happened to the OWASP Top Ten for Web Services project? Couldn't find it on owasp.org.

Thanks for the great content here.

Posted by: Bruce S | September 12, 2009 at 01:55 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment