Attack description

Web services offer designers enormous flexibility when it comes to employing integrity features. Usually in order to guarantee message integrity, certain predefined parts of the SOAP message get signed.

Lets assume that a web service client sends a signed message to the receiving web service. Ideally any malicious modification of the signed data is detected by the receiving web service unless the attacker is able to break the signature algorithm itself. However when executing a XML Signature Wrapping attack an attacker is able to change the content of the signed part without invalidating the signature.

This attack is also known as XML Rewriting attack.

NOTE: We just assume that both parties agreed in advance on what parts of the SOAP message have to be signed. How this agreement process is implemented isn't important for this attack ( However this process is important for the Metadata_Spoofing attack.)

Attack subtypes

There are various XML Signature Wrapping attacks. Due to their complexity a separate wiki page for each attack was created. The different XML Signature Wrapping attack subtypes are:

• XML Signature Wrapping - Simple Context
  The easiest to execute XML Signature Wrapping attack. This one was the very first XML Signature Wrapping attack, discovered in 2005 [1][2]. The signed data is contained within the SOAP Body.
  
  
• XML Signature Wrapping - Optional Element
  A more evolved attack. The signed data is contained within the SOAP Header.
  
  
• XML Signature Wrapping - Optional Element in Security Header
  A more evolved attack. The signed data is contained within the Security Header.
  
  
• XML Signature Wrapping - with Namespace Injection
  The most complex of all signature wrapping attacks. The attack is performed by using an XML Namespace injection technique.
  
  

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
2. Attacker knows that the web web service processes the security header and the "signature" element. If the web service doesn't "expect" a signed part, it just discards the signature and the attack doesn't work.
3. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

• Red = attacked web service component
  
• Black = location of attacker
  
• Blue = web service component not directly involved in attack.
  

Attack example

Due to attack complexity refer to each attack subtype!

Attack mitigation / countermeasures

Due to attack complexity refer to each attack subtype!

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

• Category:Attack_Categorisation_By_Violated_Security_Objective_Integrity
• Category:Attack_Categorisation_By_Violated_Security_Objective

Categorisation by number of involved parties

• Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
• Category:Attack_Categorisation_By_Number_Of_Involved_Parties

Categorisation by attacked component in web service architecture

• Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
• Category:Attack_Categorisation_By_Attacked_Web_Service_Component

Categorisation by attack spreading

• Category:Attack_Categorisation_By_Attack_Spreading
• Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws

References

Due to attack complexity refer to each attack subtype!