Attack Obfuscation

From WS-Attacks
Jump to: navigation, search

Attack description

"Attack Obfuscation" is not an attack itself. However, it is an attack enabler. "Attack Obfuscation" describes all techniques to hide the attack from the components designed to detect the attack.

A typical example is "Attack Obfuscation by Cryptography". Usually when trying to execute DOS attacks such as Coercive Parsing the attack is not successful when strict schema validation is performed. However, when the Coercive Parsing attack payload is hidden by encryption the payload gets executed since schema validation usually is always performed prior to decryption.


Attack subtypes

There are no attack subtypes.


Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following thinks:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.
  3. Attacker knows if the obfuscation strategy works on the attacked web service


Graphic representation of attack

"Attack Obfuscation" doesn't aim at any special web service component. It always depends on what attack is hidden as payload. Therefore no specific component is marked only the web service in general.

AttackedComponent None.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

No attack example available/necessary.


Attack mitigation / countermeasures

Countermeasures are hard to find. They always depend on the attack hidden by the attack obfuscation.

When going back to the example from above, the mitigation strategy is as follows: The easiest way of countering the attack is applying strict schema validation to decrypted data, even if schema validation was performed on the encrypted data prior to decryption.

When trying to use as few resources as possible, one should perform decryption and validation step by step.


Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading


References

  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
  2. Meiko Jensen.Attacking webservices.http://www.nds.rub.de/media/nds/downloads/ws0910/AttackingWebServices.pdf, 2010. Accessed 01 July 2010.