Replay Attack

From WS-Attacks
Jump to: navigation, search

Attack description

Replay Attacks are usually used by an attacker to "replay" the login process to an otherwise restricted resource; therefore violating the access control system.

Before executing the replay attack an attacker has to gain access to a SOAP Message that contains the login credentials. This can be achieved in various ways. Some examples are:

  • Attacker is in control of an intermediary that sits between sender and receiver.
  • Attacker has access to the local machine of the victim; logging all outgoing traffic.
  • Attacker uses "classical" techniques to wire tap TCP/IP traffic.

Once the required data is

If no precautions are taken it doesn't matter if the replayed data is encrypted or not since the receiver can not distinguish between the current and the previous SOAP message.


Attack subtypes

No attack subtypes are defined.


Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following thinks:

  1. Attacker is able to capture SOAP Messages send between web service client and receiver.
  2. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.


Graphic representation of attack

This the attacker poses as the web service client, the web service client is the attacked component.

AttackedComponent Client.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

No example available/necessary.

Attack mitigation / countermeasures

The attack can be countered by introducing random data to each login session. If both parties ensure that each nonce is used only once, replay attacks are not possible any more.


Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading


References

  1. Frederick Hirsch and Pratik Datta. Xml signature best practices. http://www.w3.org/TR/2009/WD-xmldsig-bestpractices-20090226/, 2010. Accessed 01 July 2010.
  2. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.