Difference between revisions of "XML Signature Exclusion"

From WS-Attacks
Jump to: navigation, search
(Attack mitigation / countermeasures)
(Attack description)
Line 1: Line 1:
 
=Attack description=
 
=Attack description=
In the absence of
+
Sometimes, it is not necessary to execute complicated [[XML Signature Wrapping]] attacks in order to execute an arbitrary functionality on a Web Service.  
an XML Signature, the signature verification component did not monitor any
+
 
XML Signature at all, but nevertheless treated the message as validly signed.
+
SOAP message validation flow consists of several independent steps: signature verification, certificate validation, business logic invocation. There exists a possibility that one of these steps is omitted, and the message is still considered to be valid.  
The task of user identification and authorization took place in other components
+
 
relying solely on the X.509 certificate data from the BinarySecurityToken el-
+
XML Signature Exclusion attack relies on these assumptions. The attacker excludes the XML Signature from the SOAP message and sends it to the SOAP interface. If the application accepts the message, the attacker can execute arbitrary functions on the interface.
ement, which can be present even if there is no signature. Hence, that SOAP
 
request message was authorized to trigger operations on behalf of the owner of
 
the X.509 certificate. For completeness, the message is depicted in Figure 3.5.
 
To conclude, while performing an arbitrary SOAP request for any of the EC2
 
SOAP interface operations, an attacker needs only the public X.509 certificate
 
of the victim. Since X.509 certificates are by definition considered to constitute
 
public data, harvesting them from the Internet is not a major challenge for an
 
attacker.
 
  
 
=Attack subtypes=
 
=Attack subtypes=

Revision as of 12:52, 23 December 2015

Attack description

Sometimes, it is not necessary to execute complicated XML Signature Wrapping attacks in order to execute an arbitrary functionality on a Web Service.

SOAP message validation flow consists of several independent steps: signature verification, certificate validation, business logic invocation. There exists a possibility that one of these steps is omitted, and the message is still considered to be valid.

XML Signature Exclusion attack relies on these assumptions. The attacker excludes the XML Signature from the SOAP message and sends it to the SOAP interface. If the application accepts the message, the attacker can execute arbitrary functions on the interface.

Attack subtypes

There are no attack subtypes for this attack.


Prerequisites for attack

In order to execute the attack, there are the following prerequisites:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker can reach endpoint from its location.
  3. Attacker is in possession of a validly signed XML message or he is in possession of a valid public certificate and can construct a valid message with a missing XML Signature.


Graphical representation of attack

AttackedComponent Signature.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.


Attack example

Practical attacks were shown by Somorovsky et al.[1], who analyzed Amazon and Eucalyptus cloud providers. The attacks allowed them to execute arbitrary methods on cloud interfaces of these two cloud providers.

It was furthermore shown that these attacks can be applied to various SAML interfaces [2],[3]. Thereby, the attacker could authenticate as an arbitrary user. It was for example possible to apply this attack on these frameworks and systems: Apache Axis2, JOSSO, Open Athens, Clarizen.

Attack mitigation / countermeasures

If authenticity and integrity should be protected, the signature has to be validated. Always.

Attack categorisation

Categorisation by violated security objective


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading



References

  1. Juraj So­mo­rovs­ky, Mario Hei­de­rich, Meiko Jen­sen, Jörg Schwenk, Nils Grusch­ka, Luigi Lo Ia­co­no. All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Ma­nage­ment In­ter­faces. In Pro­cee­dings of the ACM Cloud Com­pu­ting Se­cu­ri­ty Work­shop (CCSW), 2011. https://www.nds.rub.de/research/publications/amazon-hacking/
  2. Juraj So­mo­rovs­ky, An­dre­as Mayer, Jörg Schwenk, Marco Kampmann, Meiko Jen­sen. On Breaking SAML: Be Whoever You Want to Be. In Pro­cee­dings of the 21st USE­NIX Se­cu­ri­ty Sym­po­si­um, 2012
  3. Chris­ti­an Main­ka, Vla­dis­lav Mla­de­nov, Flo­ri­an Feld­mann, Ju­li­an Kraut­wald, Jörg Schwenk. Your Software at my Service -- Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In Pro­cee­dings of the ACM Cloud Com­pu­ting Se­cu­ri­ty Work­shop (CCSW), 2014. https://www.nds.rub.de/research/publications/saml-saas/
  4. Juraj Somorovsky. On the In­se­cu­ri­ty of XML Se­cu­ri­ty. PhD thesis supervised by Jörg Schwenk and Kenny Paterson, Ruhr University Bochum. https://www.nds.rub.de/research/publications/xmlinsecurity/