Difference between revisions of "Soap Array Attack"
m (1 revision imported: Import from WS-Attacks) |
m (1 revision imported: Import from WS-Attacks) |
(No difference)
| |
Latest revision as of 11:26, 31 October 2015
Contents
Attack description
SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C [1].
However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability.
Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn't limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let's assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.
Easy countermeasures are available if one is aware of the attack.
Attack subtypes
There are no attack subtypes for this attack.
Prerequisites for attack
In order for this attack to work the attack has to have knowledge about the following things:
- Attacker knows endpoint of web service. WSDL is not required, since the attack is solely focused on the XML Parser. It doesn't matter if the Operations within the SOAP Message are valid.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, the attack is limited.
Graphical representation of attack
- Red box = attacked web service component
- Black box = attacker location
- blue box = other web service components not actively used in the attack
Attack example
In our example we just take an arbitrary SOAP message with a string array in the SOAP message body. In this case the attacker declares a SOAP array with one million elements.
Siehe bachelor Seite 61
<soapenv:Envelope xmlns:soapenv="..." xmlns: soapenc:"...">
<soapenv:Body>
<ns1:FunctionWithArrayInput xmlns:ns1="...">
<DataSet xsi:type="soapenc:Array"
soapenc:arrayType="xsd:string[1000000]">
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>
</DataSet>
</ns1:FunctionWithArrayInput>
</soapenv:Body>
</soapenv:Envelope>
Listing 1: SOAP Message with malicious Array in body
Attack mitigation / countermeasures
The attack can be stopped by using strict schema validation. In most cases the maximum number of array elements is known. Lets make an example. We assume that only 10 elements are allowed, not more. In this case an appropriate schema could look like this[2]:
<!-- start excerpt .. -->
<simpleType name="phoneNumber" base="string"/>
<element name="ArrayOfPhoneNumbers">
<complexType base="SOAP-ENC:Array">
<element name="phoneNumber" type="tns:phoneNumber" maxOccurs="10"/>
</complexType>
<anyAttribute/>
</element>
<!-- end excerpt... -->
Listing 2: Excerpt fixed XML Schema
An excerpt of a valid SOAP message could look like this:
<!-- start excerpt .. -->
<xyz:ArrayOfPhoneNumbers SOAP-ENC:arrayType="xyz:phoneNumber[2]">
<phoneNumber>206-555-1212</phoneNumber>
<phoneNumber>1-888-123-4567</phoneNumber>
</xyz:ArrayOfPhoneNumbers>
<!-- end excerpt... -->
Listing 3: Excerpt of a valid SOAP message
If we cannot limit the number of maximal elements per default, another solution has to be found. In this case it is best to compare the number of declared elements in the "soapenv_arrayType" attribute with number of actual existing array elements. In case they don't match, the SOAP message is discarded. This feature has to be implemented by hand by the web service developer.
Attack categorisation
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_XML_Parser
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
- Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
- Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop - SOA Security, Juni 2009.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
- Attack Categorisation By Violated Security Objective Availability
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: XML Parser
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws
