Replay Attacks are usually used by an attacker to "replay" the login process to an otherwise restricted resource; therefore violating the access control system.
Before executing the replay attack an attacker has to gain access to a SOAP Message that contains the login credentials. This can be achieved in various ways. Some examples are:
- Attacker is in control of an intermediary that sits between sender and receiver.
- Attacker has access to the local machine of the victim; logging all outgoing traffic.
- Attacker uses "classical" techniques to wire tap TCP/IP traffic.
Once the required data is
If no precautions are taken it doesn't matter if the replayed data is encrypted or not since the receiver can not distinguish between the current and the previous SOAP message.
No attack subtypes are defined.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following thinks:
- Attacker is able to capture SOAP Messages send between web service client and receiver.
- Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.
Graphic representation of attack
This the attacker poses as the web service client, the web service client is the attacked component.
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
No example available/necessary.
Attack mitigation / countermeasures
The attack can be countered by introducing random data to each login session. If both parties ensure that each nonce is used only once, replay attacks are not possible any more.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Frederick Hirsch and Pratik Datta. Xml signature best practices. http://www.w3.org/TR/2009/WD-xmldsig-bestpractices-20090226/, 2010. Accessed 01 July 2010.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.