Latest revision as of 11:26, 31 October 2015

Attack description

In a regular SOAP message components within an XML tag usually have a length of a few characters. Namespace declarations can get as long as a few hundred characters but that usually doesn't pose a problem to any XML parser. However, when used in a malicious way the components within an XML tag can be used to mount denial of service attacks. For example, by using overly long attribute names, a parser might crash because of memory exhaustion. The attack is possible because the XML standard [1] doesn't limit the size of components in XML tags like:

• length of element name
• length of attribute name
• length of namespace
• number of attributes

However countermeasures are available.

Attack subtypes

There are a variety of attack subtypes that inhibit the same idea; the creation of oversized XML Tags.

• XML Extra Long Names
  The "XML Extra Long Names" attack is very basic to execute. All the attacker has to do is use a very long element name, attribute name or namespace. In case of a successful attack the buffer of the XML parser for element names, attribute names and namespaces overflows, which results in a denial of service.
  This attack is also known as XML Jumbo Tag Names and XML MegaTags.
  
  

• XML Namespace Prefix Attack
  Before a namespace prefix gets declared all attributes have to be read because at a latter stage the namespace prefix declaration might get overwritten by another namespace. If an attacker places many attributes in an element, a buffer overflow in the XML parser occurs before the namespace prefix get declared.
  
  

• XML Oversized Attribute Content
  The "XML Oversized Attribute Content" attack causes a buffer overflow by using a very large string as value of an attribute.
  
  

• XML Oversized Attribute Count
  The "XML Oversized Attribute Count" attack causes a buffer overflow by using a large number of attributes in an element.
  
  

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
2. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

• Red = attacked web service component
  
• Black = location of attacker
  
• Blue = web service component not directly involved in attack.
  

Attack example

An example for each attack is presented in the following:

Listing 1 gives an example of SOAP Message with an overlong element name.

<?xml version=”1.0” encoding=”UTF-8”?> 
<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>
<soap:Body>
   <XXXXXXXXXXXXXXXX<!--Element name continued until it reaches a size of a few hundred MB-->XXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
        <!--Value XY-->
   </XXXXXXXXXXXXXXX<!--Element name continued until it reaches a size of a few hundred MB-->XXXXXXXXXXXXXXXXXXXXXXXXXXXXX>   
</soap:Body>
</soap:Envelope>

Listing 1: Attack example "XML Extra Long Names"

Listing 2 gives an example for a "XML Namespace Prefix Attack". In the example below, an attribute with an oversized attribute value is used.

<?xml version=”1.0” encoding=”UTF-8”?>
<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns=”http://example.org/soap/”>
<soap:Body>
   <ns:Prefix Attack_1="XXXXXX" <!-- Attribute Attack_2 till Attack_9999 --> Attack_10000="XXXXXX" >
   </ns:Prefix>
</soap:Body>
</soap:Envelope>

Listing 2: Attack example "XML Namespace Prefix Attack"

<?xml version=”1.0” encoding=”UTF-8”?>
<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns=”http://example.org/soap/”>
<soap:Body>
   <ns:Prefix Attack="XXXXXX<!--Attribute name continued until it reaches a size of a few hundred MB-->XXXX">
   </ns:Prefix>
</soap:Body>
</soap:Envelope>

Listing 3: Attack example "XML Oversized Attribute Content"

<?xml version=”1.0” encoding=”UTF-8”?>
<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns=”http://example.org/soap/”>
<soap:Body>
   <ns:Prefix Attack_1="XXXXXX" <!-- Attribute Attack_2 till Attack_9999 --> Attack_10000="XXXXXX" >
   </ns:Prefix>
</soap:Body>
</soap:Envelope>

Listing 4: Attack example "XML Oversized Attribute Count"

Attack mitigation / countermeasures

Since the XML standard doesn't limit the size of components within a XML tag the developer has to set up its own limits. Therefore one should manually define a maximum length for each element, attribute, and attribute value. Furthermore a limit on the number of attributes should be imposed.

For a more detailed tutorial on how to create a strict XML schema refer to [2].

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

• Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
• Category:Attack_Categorisation_By_Violated_Security_Objective

Categorisation by number of involved parties

• Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
• Category:Attack_Categorisation_By_Number_Of_Involved_Parties

Categorisation by attacked component in web service architecture

• Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_XML_Parser
• Category:Attack_Categorisation_By_Attacked_Web_Service_Component

Categorisation by attack spreading

• Category:Attack_Categorisation_By_Attack_Spreading
• Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws

References

1. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis,Hochschule für Angewandte Wissenschaften Hamburg, 2008.
2. N/A. Protecting enterprise, saas & cloud based applications – a comprehensive threat model for rest, soa and web 2.0. Technical report, Intel Corporation, 2009.