Web Service Attacks By Category
This wiki aims at listing all web service specific attacks. It includes attacks that are:
- based on flaws in standards
- implementation specific weaknesses across all major platforms
Attacks that are implementation specific for certain versions of certain frameworks are not included in this wiki to date.
Attack categories
The web service specific attacks are not listed alphabetically. Instead 4 different categories were created that are used to list the web service specific attacks. In order to view the attacks just click on one of the four categories, depending on your point of view. Each categorisation contains the same attacks.
- Attack Categorisation by violated security objective
- Attack Categorisation by number of involved parties
- Attack Categorisation by attacked web service component
- Attack Categorisation by attack spreading
List of all attacks
Attacks primarily violating the security objective “Availability”
Oversized XML DOS aka Oversized XML attack
Recursive Cryptography aka Oversized Cryptography aka Cryptography DOS aka XML Complexity Attack in Soap Header
SOAP Parameter DOS aka Parameter Tampering
XML Document Size Attack aka Oversize payload attack aka Jumbo payload Attack
XML Encryption - Transformation DOS
XML Signature - Key Retrieval DOS
XML Signature – Transformation DOS
Attacks primarily violating the security objective "Integrity"
- Malicious Morphing aka Message Tampering aka Content Tampering aka Message Alternation aka Data Tampering aka Falsified Message
Metadata Spoofing aka Schema Poisoning
XML Signature Wrapping aka XML Rewriting
Attacks primarily violating the security objective “Confidentiality”
Passive WS-MITM aka Message Sniffing aka Message Snopping
Adaptive Chosen-Ciphertext Attacks
Backwards Compatibility Attacks
Attacks primarily violating the security objective “Access Control”
Other attacks
XML Signature - Key Retrieval XSA (Cross Site Attack)