Difference between revisions of "Main Page"

From WS-Attacks
Jump to: navigation, search
m (1 revision imported: Import from WS-Attacks)
(Redirected page to Welcome to WS-Attacks)
 
Line 1: Line 1:
WS-Attacks.org is '''not''' a new web service standard by the OASIS Group or W3C;
+
#REDIRECT [[Welcome to WS-Attacks]]
instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
 
 
 
Okay, how do I get started?
 
If you are familiar with the basics you can dive right into the [[Web_Service_Attacks_By_Category|Attacks]]. All attacks are categorised and structured in a stringent fashion. Depending on your viewpoint a you can choose to have attacks listed by one of the four categories:
 
 
 
*[[:Category:Attack_Categorisation_By_Violated_Security_Objective|Attack Categorisation by violated security objective]]
 
*[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties|Attack Categorisation by number of involved parties]]
 
*[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component|Attack Categorisation by attacked web service component]]
 
*[[:Category:Attack_Categorisation_By_Attack_Spreading|Attack Categorisation by attack spreading]]
 
 
 
 
 
 
 
Alternatively you can browse through the entire list of attacks (sorted by violated security objective):
 
 
 
 
 
 
 
Attacks primarily violating the security objective "Availability"
 
 
 
[[BPEL Instantiation Flooding]]
 
 
 
[[BPEL Indirect Flooding]]
 
 
 
[[BPEL State Deviation]]
 
 
 
*[[BPEL Correlation Invalidation]]
 
 
 
*[[BPEL State Invalidation]]
 
 
 
[[Coercive Parsing]]
 
 
 
[[Oversized XML DOS]] aka [[Oversized XML attack]]
 
 
 
*[[XML Extra Long Names]] aka [[XML MegaTags]] aka [[XML Jumbo Tag Names]]
 
 
 
*[[XML Namespace Prefix Attack ]]
 
 
 
*[[XML Oversized Attribute Content]]
 
 
 
*[[XML Oversized Attribute Count]]
 
 
 
[[Reference Redirect]]
 
 
 
*[[Signature Redirect]]
 
 
 
*[[Encryption Redirect]]
 
 
 
[[Recursive Cryptography]] aka [[Oversized Cryptography]] aka [[Cryptography DOS]] aka [[XML Complexity Attack in Soap Header]]
 
 
 
*[[Chained Cryptographic Keys]] aka [[Public Key DOS]]
 
 
 
*[[Nested Encrypted Blocks]]
 
 
 
[[Soap Array Attack]]
 
 
 
[[SOAP Parameter DOS]] aka [[Parameter Tampering]]
 
 
 
[[WS-Addressing spoofing]]
 
 
 
*[[WS-Addressing spoofing - Generic]]
 
 
 
*[[WS-Addressing spoofing - BPEL Rollback]]
 
 
 
*[[WS-Addressing spoofing - Middleware Hijacking]]
 
 
 
[[XML Document Size Attack]] aka [[Oversize payload attack]] aka [[Jumbo payload Attack]]
 
 
 
*[[Oversized SOAP Header]]
 
 
 
*[[Oversized SOAP Body]]
 
 
 
*[[Oversized SOAP Envelope]]
 
 
 
[[XML Encryption - Transformation DOS]]
 
 
 
*[[XML Encryption - XSLT DOS]]
 
 
 
*[[XML Encryption - Xpath DOS]]
 
 
 
[[XML External Entity DOS]]
 
 
 
[[XML Entity Expansion]]
 
 
 
*[[XML Generic Entity Expansion]]
 
 
 
*[[XML Recursive Entity Expansion]]
 
 
 
*[[XML Remote Entity Expansion]]
 
 
 
*[[XML C14N Entity Expansion]]
 
 
 
[[XML Entity Reference Attack]]
 
 
 
[[XML Flooding]]
 
 
 
*[[Distributed XML Flooding]]
 
 
 
*[[Single XML Flooding]]
 
 
 
[[XML Signature - Key Retrieval DOS]]
 
 
 
[[XML Signature – Transformation DOS]]
 
 
 
*[[XML Signature - C14N DOS]]
 
 
 
*[[XML Signature - XSLT DOS]]
 
 
 
*[[XML Signature - Xpath DOS]]
 
 
 
 
 
 
 
Attacks primarily violating the security objective "Integrity"
 
 
 
[[Active WS-MITM]]
 
 
 
*[[Malicious Morphing]] aka [[Message Tampering]] aka [[Content Tampering]] aka [[Message Alternation]] aka [[Data Tampering]] aka [[Falsified Message]]
 
 
 
*[[Routing Detour]]
 
 
 
[[Metadata Spoofing]] aka [[Schema Poisoning]]
 
 
 
* [[WSDL Spoofing]] aka [[WSDL  Parameter Tampering]]
 
 
 
* [[WS Security Policy Spoofing]]
 
 
 
[[XML Signature Wrapping]] aka [[XML Rewriting]]
 
 
 
*[[XML Signature Wrapping - Simple Context]]
 
 
 
*[[XML Signature Wrapping - Optional Element]]
 
 
 
*[[XML Signature Wrapping - Optional Element in Security Header]]
 
 
 
*[[XML Signature Wrapping - with Namespace Injection]]
 
 
 
[[XML Signature Exclusion]]
 
 
 
 
 
 
 
Attacks primarily violating the security objective “Confidentiality”
 
 
 
[[Passive WS-MITM]] aka [[Message Sniffing]] aka [[Message Snopping]]
 
 
 
[[WSDL Disclosure]]
 
 
 
*[[WSDL Enumeration]] aka [[WSDL Scanning]]
 
 
 
*[[WSDL Google Hacking]]
 
 
 
 
 
Attacks primarily violating the security objective  “Access Control”
 
 
 
[[Replay Attack]]
 
 
 
[[SOAPAction Spoofing]]
 
 
 
*[[SOAPAction Spoofing - MITM Attack]]
 
 
 
*[[SOAPAction Spoofing - Bypass Attack]]
 
 
 
 
 
Other attacks
 
 
 
[[Attack Obfuscation]]
 
 
 
[[XML Injection]]
 
 
 
[[XML Signature - Key Retrieval XSA (Cross Site Attack)]]
 
 
 
[[XML Signature – XSLT Code Execution]]
 
 
 
[[Xpath Injection]]
 
 
 
 
 
 
 
 
 
If you have any questions or comments feel free to contact us or just contribute by editing the wiki yourself!
 

Latest revision as of 11:22, 23 December 2015