WS-Addressing spoofing

From WS-Attacks
Jump to: navigation, search

Attack description

The WS-Address standard[1] allows the addition of routing information to the SOAP Header, allowing asynchronous communication.


Attack subtypes

Three attack subtypes are defined:

  1. WS-Address spoofing - Generic
    The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The <ReplyTo> element doesn't contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too.

  2. WS-Address spoofing - BPEL Rollback

This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a <ReplyTo> element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in <ReplyTo>. This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine.
In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result.
This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through.

  1. WS-Address spoofing - Middleware Hijacking

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker knows that the web web service processes the security header and the "encryption" element and/or "signature" element. If the web service doesn't "expect" an encrypted part, it just discards the encryption and the attack doesn't work.
  3. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.


Graphic representation of attack

The image below shows the attack flow. The attacked component is the web service client, receiving unwanted traffic from the web service server AttackedComponent Addressing.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

Example 1: An example for the WS-Address spoofing - Generic attack is pictured in Figure 2 and 3.Figures taken from [2]. As shown in Figure 3, the attacker generates a response to a SOAP message the client never requested.

WS-Address Spoofing1.png

Figure 2: Regular SOAP traffic between WS client and WS server.


WS-Address Spoofing2.png

Figure 3: SOAP traffic from WS client to WS server never requested by WS client.



Example 2: Example 2 shows the architecture for a WS-Address spoofing - Middleware Hijacking attack. Figure taken from [Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.].

WS-Address Spoofing3.png

Figure 4: Architecture for the "WS-Address spoofing - Middleware Hijacking attack".

Attack mitigation / countermeasures

In order to prevent a WS-Address spoofing attack the caller's endpoint has to be verified before doing any further processing. This is especially important when SOAP messages are processed by a BPEL engine. However, up to now, there is no standardized way of doing this verification.



Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture

"WS-Adress spoofing - BPEL Rollback" is filed under:

"WS-Adress spoofing - Middleware Hijacking" is filed under:


Categorisation by attack spreading


References

  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.