|
|
| Line 1: |
Line 1: |
| − | WS-Attacks.org is '''not''' a new web service standard by the OASIS Group or W3C;
| + | #REDIRECT [[Welcome to WS-Attacks]] |
| − | instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
| |
| − | | |
| − | Okay, how do I get started?
| |
| − | If you are familiar with the basics you can dive right into the [[Web_Service_Attacks_By_Category|Attacks]]. All attacks are categorised and structured in a stringent fashion. Depending on your viewpoint a you can choose to have attacks listed by one of the four categories:
| |
| − | | |
| − | *[[:Category:Attack_Categorisation_By_Violated_Security_Objective|Attack Categorisation by violated security objective]]
| |
| − | *[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties|Attack Categorisation by number of involved parties]]
| |
| − | *[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component|Attack Categorisation by attacked web service component]]
| |
| − | *[[:Category:Attack_Categorisation_By_Attack_Spreading|Attack Categorisation by attack spreading]]
| |
| − | | |
| − | | |
| − | | |
| − | Alternatively you can browse through the entire list of attacks (sorted by violated security objective):
| |
| − | | |
| − | | |
| − | | |
| − | Attacks primarily violating the security objective "Availability"
| |
| − | | |
| − | [[BPEL Instantiation Flooding]]
| |
| − | | |
| − | [[BPEL Indirect Flooding]]
| |
| − | | |
| − | [[BPEL State Deviation]]
| |
| − | | |
| − | *[[BPEL Correlation Invalidation]]
| |
| − | | |
| − | *[[BPEL State Invalidation]]
| |
| − | | |
| − | [[Coercive Parsing]]
| |
| − | | |
| − | [[Oversized XML DOS]] aka [[Oversized XML attack]]
| |
| − | | |
| − | *[[XML Extra Long Names]] aka [[XML MegaTags]] aka [[XML Jumbo Tag Names]]
| |
| − | | |
| − | *[[XML Namespace Prefix Attack ]]
| |
| − | | |
| − | *[[XML Oversized Attribute Content]]
| |
| − | | |
| − | *[[XML Oversized Attribute Count]]
| |
| − | | |
| − | [[Reference Redirect]]
| |
| − | | |
| − | *[[Signature Redirect]]
| |
| − | | |
| − | *[[Encryption Redirect]]
| |
| − | | |
| − | [[Recursive Cryptography]] aka [[Oversized Cryptography]] aka [[Cryptography DOS]] aka [[XML Complexity Attack in Soap Header]]
| |
| − | | |
| − | *[[Chained Cryptographic Keys]] aka [[Public Key DOS]]
| |
| − | | |
| − | *[[Nested Encrypted Blocks]]
| |
| − | | |
| − | [[Soap Array Attack]]
| |
| − | | |
| − | [[SOAP Parameter DOS]] aka [[Parameter Tampering]]
| |
| − | | |
| − | [[WS-Addressing spoofing]]
| |
| − | | |
| − | *[[WS-Addressing spoofing - Generic]]
| |
| − | | |
| − | *[[WS-Addressing spoofing - BPEL Rollback]]
| |
| − | | |
| − | *[[WS-Addressing spoofing - Middleware Hijacking]]
| |
| − | | |
| − | [[XML Document Size Attack]] aka [[Oversize payload attack]] aka [[Jumbo payload Attack]]
| |
| − | | |
| − | *[[Oversized SOAP Header]]
| |
| − | | |
| − | *[[Oversized SOAP Body]]
| |
| − | | |
| − | *[[Oversized SOAP Envelope]]
| |
| − | | |
| − | [[XML Encryption - Transformation DOS]]
| |
| − | | |
| − | *[[XML Encryption - XSLT DOS]]
| |
| − | | |
| − | *[[XML Encryption - Xpath DOS]]
| |
| − | | |
| − | [[XML External Entity DOS]]
| |
| − | | |
| − | [[XML Entity Expansion]]
| |
| − | | |
| − | *[[XML Generic Entity Expansion]]
| |
| − | | |
| − | *[[XML Recursive Entity Expansion]]
| |
| − | | |
| − | *[[XML Remote Entity Expansion]]
| |
| − | | |
| − | *[[XML C14N Entity Expansion]]
| |
| − | | |
| − | [[XML Entity Reference Attack]]
| |
| − | | |
| − | [[XML Flooding]]
| |
| − | | |
| − | *[[Distributed XML Flooding]]
| |
| − | | |
| − | *[[Single XML Flooding]]
| |
| − | | |
| − | [[XML Signature - Key Retrieval DOS]]
| |
| − | | |
| − | [[XML Signature – Transformation DOS]]
| |
| − | | |
| − | *[[XML Signature - C14N DOS]]
| |
| − | | |
| − | *[[XML Signature - XSLT DOS]]
| |
| − | | |
| − | *[[XML Signature - Xpath DOS]]
| |
| − | | |
| − | | |
| − | | |
| − | Attacks primarily violating the security objective "Integrity"
| |
| − | | |
| − | [[Active WS-MITM]]
| |
| − | | |
| − | *[[Malicious Morphing]] aka [[Message Tampering]] aka [[Content Tampering]] aka [[Message Alternation]] aka [[Data Tampering]] aka [[Falsified Message]]
| |
| − | | |
| − | *[[Routing Detour]]
| |
| − | | |
| − | [[Metadata Spoofing]] aka [[Schema Poisoning]]
| |
| − | | |
| − | * [[WSDL Spoofing]] aka [[WSDL Parameter Tampering]]
| |
| − | | |
| − | * [[WS Security Policy Spoofing]]
| |
| − | | |
| − | [[XML Signature Wrapping]] aka [[XML Rewriting]]
| |
| − | | |
| − | *[[XML Signature Wrapping - Simple Context]]
| |
| − | | |
| − | *[[XML Signature Wrapping - Optional Element]]
| |
| − | | |
| − | *[[XML Signature Wrapping - Optional Element in Security Header]]
| |
| − | | |
| − | *[[XML Signature Wrapping - with Namespace Injection]]
| |
| − | | |
| − | [[XML Signature Exclusion]]
| |
| − | | |
| − | | |
| − | | |
| − | Attacks primarily violating the security objective “Confidentiality” | |
| − | | |
| − | [[Passive WS-MITM]] aka [[Message Sniffing]] aka [[Message Snopping]]
| |
| − | | |
| − | [[WSDL Disclosure]]
| |
| − | | |
| − | *[[WSDL Enumeration]] aka [[WSDL Scanning]]
| |
| − | | |
| − | *[[WSDL Google Hacking]]
| |
| − | | |
| − | | |
| − | Attacks primarily violating the security objective “Access Control”
| |
| − | | |
| − | [[Replay Attack]]
| |
| − | | |
| − | [[SOAPAction Spoofing]]
| |
| − | | |
| − | *[[SOAPAction Spoofing - MITM Attack]]
| |
| − | | |
| − | *[[SOAPAction Spoofing - Bypass Attack]]
| |
| − | | |
| − | | |
| − | Other attacks
| |
| − | | |
| − | [[Attack Obfuscation]]
| |
| − | | |
| − | [[XML Injection]]
| |
| − | | |
| − | [[XML Signature - Key Retrieval XSA (Cross Site Attack)]]
| |
| − | | |
| − | [[XML Signature – XSLT Code Execution]]
| |
| − | | |
| − | [[Xpath Injection]]
| |
| − | | |
| − | | |
| − | | |
| − | | |
| − | If you have any questions or comments feel free to contact us or just contribute by editing the wiki yourself!
| |
