Difference between revisions of "XML Signature Exclusion"
Line 37: | Line 37: | ||
=Attack example= | =Attack example= | ||
Practical attacks were shown by Somorovsky et al.[https://www.nds.rub.de/research/publications/amazon-hacking/], who | Practical attacks were shown by Somorovsky et al.[https://www.nds.rub.de/research/publications/amazon-hacking/], who analyzed Amazon and Eucalyptus cloud providers. The attacks allowed them to execute arbitrary methods on cloud interfaces of these two cloud providers. | ||
It was furthermore shown that these attacks can be applied to various SAML interfaces [https://www.nds.rub.de/research/publications/BreakingSAML/],[https://www.nds.rub.de/research/publications/saml-saas/]. Thereby, the attacker could authenticate as an arbitrary user. It was for example possible to apply this attack on these frameworks and systems: Apache Axis2, JOSSO, Open Athens, Clarizen. | It was furthermore shown that these attacks can be applied to various SAML interfaces [https://www.nds.rub.de/research/publications/BreakingSAML/],[https://www.nds.rub.de/research/publications/saml-saas/]. Thereby, the attacker could authenticate as an arbitrary user. It was for example possible to apply this attack on these frameworks and systems: Apache Axis2, JOSSO, Open Athens, Clarizen. |
Revision as of 12:37, 23 December 2015
Attack description
In the absence of an XML Signature, the signature verification component did not monitor any XML Signature at all, but nevertheless treated the message as validly signed. The task of user identification and authorization took place in other components relying solely on the X.509 certificate data from the BinarySecurityToken el- ement, which can be present even if there is no signature. Hence, that SOAP request message was authorized to trigger operations on behalf of the owner of the X.509 certificate. For completeness, the message is depicted in Figure 3.5. To conclude, while performing an arbitrary SOAP request for any of the EC2 SOAP interface operations, an attacker needs only the public X.509 certificate of the victim. Since X.509 certificates are by definition considered to constitute public data, harvesting them from the Internet is not a major challenge for an attacker.
Attack subtypes
There are no attack subtypes for this attack.
Prerequisites for attack
In order to execute the attack, there are the following prerequisites:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker can reach endpoint from its location.
- Attacker is in possession of a validly signed XML message or he is in possession of a valid public certificate and can construct a valid message with a missing XML Signature.
Graphical representation of attack
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Attack example
Practical attacks were shown by Somorovsky et al.[1], who analyzed Amazon and Eucalyptus cloud providers. The attacks allowed them to execute arbitrary methods on cloud interfaces of these two cloud providers.
It was furthermore shown that these attacks can be applied to various SAML interfaces [2],[3]. Thereby, the attacker could authenticate as an arbitrary user. It was for example possible to apply this attack on these frameworks and systems: Apache Axis2, JOSSO, Open Athens, Clarizen.
Attack mitigation / countermeasures
Attack categorisation
Categorisation by violated security objective
- Category:Attack_Categorisation_By_Violated_Security_Objective_Integrity
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
- Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono. All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW), 2011. https://www.nds.rub.de/research/publications/amazon-hacking/
- Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, Meiko Jensen. On Breaking SAML: Be Whoever You Want to Be. In Proceedings of the 21st USENIX Security Symposium, 2012
- Christian Mainka, Vladislav Mladenov, Florian Feldmann, Julian Krautwald, Jörg Schwenk. Your Software at my Service -- Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW), 2014. https://www.nds.rub.de/research/publications/saml-saas/
- Juraj Somorovsky. On the Insecurity of XML Security. PhD thesis supervised by Jörg Schwenk and Kenny Paterson, Ruhr University Bochum. https://www.nds.rub.de/research/publications/xmlinsecurity/
- Attack Categorisation By Violated Security Objective Integrity
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: Signature Verification
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws