Welcome to WS-Attacks

From WS-Attacks
Revision as of 11:54, 23 December 2015 by Jln7bp (talk | contribs)
Jump to navigation Jump to search

WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.

Okay, how do I get started? If you are familiar with the basics you can dive right into the Attacks. All attacks are categorised and structured in a stringent fashion. Depending on your viewpoint a you can choose to have attacks listed by one of the four categories:

Alternatively you can browse through the entire list of attacks (sorted by violated security objective):

Attacks primarily violating the security objective "Availability"

BPEL Instantiation Flooding

BPEL Indirect Flooding

BPEL State Deviation

Coercive Parsing

Oversized XML DOS aka Oversized XML attack

Reference Redirect

Recursive Cryptography aka Oversized Cryptography aka Cryptography DOS aka XML Complexity Attack in Soap Header

Soap Array Attack

SOAP Parameter DOS aka Parameter Tampering

WS-Addressing spoofing

XML Document Size Attack aka Oversize payload attack aka Jumbo payload Attack

XML Encryption - Transformation DOS

XML External Entity DOS

XML Entity Expansion

XML Entity Reference Attack

XML Flooding

XML Signature - Key Retrieval DOS

XML Signature – Transformation DOS

Attacks primarily violating the security objective "Integrity"

Active WS-MITM

Metadata Spoofing aka Schema Poisoning

XML Signature Wrapping aka XML Rewriting

XML Signature Exclusion

Attacks primarily violating the security objective “Confidentiality”

Passive WS-MITM aka Message Sniffing aka Message Snopping

WSDL Disclosure

Adaptive Chosen-Ciphertext Attacks

Backwards Compatibility Attacks

Attacks primarily violating the security objective “Access Control”

Replay Attack

SOAPAction Spoofing

Other attacks

Attack Obfuscation

XML Injection

XML Signature - Key Retrieval XSA (Cross Site Attack)

XML Signature – XSLT Code Execution

Xpath Injection

If you have any questions or comments feel free to contact us or just contribute by editing the wiki yourself!