Difference between revisions of "Passive WS-MITM"
(→Graphical representation of attack) |
m (1 revision imported: Import from WS-Attacks) |
(No difference)
| |
Latest revision as of 12:26, 31 October 2015
Contents
Attack description
Passive WS-MITM (passive Web Service - Man in the middle) attacks describe attacks where an attacker reads the data send between web service client and web service receiver; gaining access to information not intended for him and therefore violating the security objective "Confidentiality".
Since web services usually rely on the classical internet technologies like TCP/IP all known MITM attack tools and techniques can be used by an attacker. Refer to [1] for a list of various tools.
However with web services a new potential attacker position is introduced. A web service request passes through an arbitrary number of intermediary web services before it reaches its destination. If only one of these intermediaries is under the control of the attacker, the attacker is able to read the soap request.
The attack is also known as Message Sniffing and Message Snooping
Attack subtypes
No attack subtypes are defined.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following thinks:
- Attacker has access to an intermediary web service that relays messages between the attacked web service client and server.
Graphical representation of attack
In this case the attacker is in control of the intermediary that sits between the attacked server and client.
Both web service client and server are effected by the attack, since the attacker is usually able to read the request and the response.
- Red = attacked web service
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Attack example
No attack example available.
Attack mitigation / countermeasures
Make use of cryptography for confidential data. In that case a Message Sniffing attack has no effect at all, since the only information the attacker gains is that a message was sent.
Attack categorisation
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Confidentiality
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_1_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Web_Service_Client
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws
References
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
- Attack Categorisation By Violated Security Objective Confidentiality
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 1 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: Web Service Client
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Application Specific Flaws
