Active WS-MITM

From WS-Attacks
(Redirected from Routing Detour)
Jump to: navigation, search

The Message Sniffing attack is a classical passive MITM[1] attack.

Attack description

Active WS-MITM (Active Web Service - Man in the middle) attacks describe attacks where an attacker alters the data sent between a web service client and web service receiver. The attacker changes the SOAP message in transit and therefore violates the security objective of "Integrity".

Since web services usually rely on foundational Internet technologies like TCP/IP, all known MITM attack tools and techniques can be used by an attacker. Refer to [2] for a list of various tools.

However with web services a new potential attack vector is introduced. A web service request passes through an arbitrary number of intermediary web services before it reaches its destination. If only one of these intermediaries is under the control of the attacker, the attacker is able to alter the soap request.



Attack subtypes

Two attack subtypes are defined:

  • Routing Detour
    During this attack the attacker also intercepts the SOAP message, but instead of altering the SOAP Body he adds additional routing information to the SOAP Header. The altered message is then passed to the new intermediary(s).
    When new intermediaries are added, one can assume that these intermediaries are under the control of the attacker. The malicious intermediaries usually perform a Malicious Morphing attack.
    When an intermediary is bypassed certain operations on the SOAP message are omitted. That means that certain changes of the SOAP message that are unwanted to the attacker are left out. For example the payment-operation could be one of these functions.
    For more information on routing refer to the WS-Adressing standard [3]


Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker has access to an intermediary web service that relays messages between the attacked web service client and server.


Graphical representation of attack

In this case the attacker is in control of the intermediary that sits between the attacked server and client. Usually a web service client and server are effected by the attack, since an altered request usually results in an altered response, which might go undetected by the client. No specific component of the receiving web service is attacked in general. That is why the receiving web service is marked. AttackedComponent Intermediary2.png

  • Red = attacked web service
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

Example 1 for the "Malicious Morphing" attack:

<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"      
                xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
   <S:Header>
   </S:Header>
   <S:Body>
      <S:MoneyReceiver>Andy</S:MoneyReceiver>
      <!-- An attacker could could swap the name "Andy" with his own name; making him the receiver of the money -->
   </S:Body>
 </S:Envelope>

Listing 1: "Malicious Morphing" attack example


Example 2 for the "Routing Detour" attack: Listing 2 shows an excerpt of an unaltered SOAP message with routing information. Listing 3 shows the same example with altered routing information. The destination got changed to a malicious web service address. If the malicious receiver then altersthe routing information back to their original state, the attack remains undetected. This example was taken from [4].

<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"      
                xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
   <S:Header>
    <wsa:MessageID>
      uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
    </wsa:MessageID>
    <wsa:ReplyTo>
      <wsa:Address>http://business456.example/client1</wsa:Address>
    </wsa:ReplyTo>
    <wsa:To>http://fabrikam123.example/Purchasing</wsa:To> <!-- Original reciver!! -->
    <wsa:Action>http://fabrikam123.example/SubmitPO</wsa:Action>
   </S:Header>
   <S:Body>
     ...
   </S:Body>
 </S:Envelope>

Listing 2: unaltered message


<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"      
                xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
   <S:Header>
    <wsa:MessageID>
      uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
    </wsa:MessageID>
    <wsa:ReplyTo>
      <wsa:Address>http://business456.example/client1</wsa:Address>
    </wsa:ReplyTo>
    <wsa:To>http://ATTACKER.com/Purchasing</wsa:To>  <!-- Malicious reciver ATTACKER.com!! -->
    <wsa:Action>http://ATTACKER.com/SubmitPO</wsa:Action>
   </S:Header>
   <S:Body>
     ...
   </S:Body>
 </S:Envelope>

Listing 3: altered message



Attack mitigation / countermeasures

Make use of cryptography for confidential data. Sign important parts of the SOAP message. In that case an "Active WS-MITM" attack always gets detected since decryption / signature verification always fails.

Special precautions have to be made when defending against the "Routing Detour" attack. The attack can be defended if all routing relevant data in the header is signed and checked against a predefined "routing schema" that is known to all intermediaries involved.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties

The "Malicious Morphing" attack is categorized as follows:

The "Routing Detour" attack is categorized as follows:


Categorisation by attacked component in web service architecture

The "Malicious Morphing" attack is categorized as follows:

The "Routing Detour" attack is categorized as follows:

Categorisation by attack spreading


References

  1. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.