Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MonkeyShell: using XML-RPC for access to a remote shell

from [Darryl Luff] Network Security [Permanent Link]
Subject: Re: MonkeyShell: using XML-RPC for access to a remote shell
Date: Tue, 12 Oct 2004 15:56:35 +1000 
On Sun, 2004-10-10 at 22:38 -0400, Abe Usher wrote:

Security pundits have been warning about the dangers implicit with Web
services for years. A good starting point for understanding the security
issues related to Web services can be found at:
http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci872720,00.html


The 'Monkey Shell' looks like a good demonstration, but it could have
just as easily been implemented using the normal CGI interface, or
straight HTTP requests. As things like httptunnel have done.

I don't understand why the 'New' web services, with requests and
responses encoded as XML over HTTP, are considered more insecure than
the 'old' web services with requests and responses encoded directly in
HTML, or in custom formats. The functionality is the same, only the
transport encoding is different.

I can see other problems with the 'new' services, with increased network
load, harder parsing for small devices, and the inevitable security
problems introduced with any newly written software. But I don't see how
changing the actual request/response encoding magically makes it any
less secure?


Mr Wagner in the linked article says that "the danger is that almost
anything can come over a web service connection". But "almost anything"
can also come over a straight HTTP connection. What's the difference?


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MonkeyShell: using XML-RPC for access to a remote shell, Abe Usher
Next by Date:  [Full-Disclosure] Writing Trojans that bypass Windows XP Service Pack 2 Firewall, americanidiot
Previous by Thread:  MonkeyShell: using XML-RPC for access to a remote shell, Abe Usher
Next by Thread:  Re: MonkeyShell: using XML-RPC for access to a remote shell, Barry Dorrans
Indexes:  [Date] [Thread] [Top] [All Lists]