
22:01
DEF CON 33 Recon Village - A Playbook for Integration Servers - Ryan Bonner, Guðmundur Karlsson
DEFCONConference•2.1K views•20251231
In this DEF CON 33 Recon Village presentation, security researchers Ryan Bonner and Guðmundur 'Karl' Karlsson reveal their 'playbook' for attacking WebMethods integration servers, a type of middleware used by Fortune 500 companies to bridge legacy systems with modern applications. The speakers highlight that despite its widespread use in banking, healthcare, and insurance, WebMethods has remained largely undocumented and overlooked by the security research community for decades. This lack of scrutiny, combined with expensive private training ($8,000-$10,000) and fragmented documentation, has created a massive attack surface of legacy 'plumbing' that remains exposed on the internet.
The reconnaissance phase of the playbook utilizes several OSINT platforms. The researchers identify Shodan as a primary tool, specifically searching for the 'www.authenticate' header containing 'integration server', which yields hundreds of results. They also advocate for ZoomEye (noting its strength in Asian markets and CBug integration), FOFA (for its rule-based fingerprinting), and Censys (for high-quality data). Additionally, they use Certificate Transparency (CT) log scanning with a tool called 'Gunner' to find hidden infrastructure. By cross-referencing job postings on sites like theirstack.com, they can correlate specific technologies to over 2,800 target companies.
The core technical vulnerability involves misconfigured Access Control Lists (ACLs). In WebMethods, developers often encounter permission issues during service development. To resolve these, they frequently change the service permissions to the 'Default' group. However, the 'Default' group includes the 'Anonymous' group by default, effectively making the service unauthenticated. Attackers can then invoke these services directly via the browser using a simple GET request to the `/invoke/` endpoint followed by the service name (e.g., `/invoke/wm.public/service_name`).
The researchers developed a custom tool (humorously referred to as being 'vibe-coded') that automates the process of identifying these servers, testing for default credentials, and fuzzing over 5,100 known API endpoints. They found that a '500 Internal Server Error' response often indicates a vulnerable service that simply requires correctly formatted parameters, while a '200 OK' indicates immediate successful execution. The researchers warned that some services, if called without proper parameters, could inadvertently shut down the server, a scenario they encountered during their testing on live targets.
Exploitation examples include leveraging the 'wm.public' package, which contains thousands of built-in services. Specifically, they highlight 'HTML decode' services that can be used to bypass WAFs for XSS, and more critically, an 'OS command' service that can lead to Remote Code Execution (RCE) if configured improperly. They also identified services that return B2B passwords and sensitive file access. The talk concludes with a call to action for other researchers to apply this methodology to other legacy middleware systems like MuleSoft.
webmethodsintegration-serversoftware-ag