Difference between revisions of "Passive WS-MITM"
(→Graphical representation of attack)
m (1 revision imported: Import from WS-Attacks)
Latest revision as of 12:26, 31 October 2015
- 1 Attack description
- 2 Attack subtypes
- 3 Prerequisites for attack
- 4 Graphical representation of attack
- 5 Attack example
- 6 Attack mitigation / countermeasures
- 7 Attack categorisation
- 8 References
Passive WS-MITM (passive Web Service - Man in the middle) attacks describe attacks where an attacker reads the data send between web service client and web service receiver; gaining access to information not intended for him and therefore violating the security objective "Confidentiality".
Since web services usually rely on the classical internet technologies like TCP/IP all known MITM attack tools and techniques can be used by an attacker. Refer to  for a list of various tools.
However with web services a new potential attacker position is introduced. A web service request passes through an arbitrary number of intermediary web services before it reaches its destination. If only one of these intermediaries is under the control of the attacker, the attacker is able to read the soap request.
No attack subtypes are defined.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following thinks:
- Attacker has access to an intermediary web service that relays messages between the attacked web service client and server.
Graphical representation of attack
In this case the attacker is in control of the intermediary that sits between the attacked server and client. Both web service client and server are effected by the attack, since the attacker is usually able to read the request and the response.
- Red = attacked web service
- Black = location of attacker
- Blue = web service component not directly involved in attack.
No attack example available.
Attack mitigation / countermeasures
Make use of cryptography for confidential data. In that case a Message Sniffing attack has no effect at all, since the only information the attacker gains is that a message was sent.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.