Difference between revisions of "XML Signature Wrapping"
m (1 revision imported: Import from WS-Attacks) |
|||
Line 15: | Line 15: | ||
There are various XML Signature Wrapping attacks. Due to their complexity a separate wiki page for each attack was created. | There are various XML Signature Wrapping attacks. Due to their complexity a separate wiki page for each attack was created. | ||
The different XML Signature Wrapping attack subtypes are: | The different XML Signature Wrapping attack subtypes are: | ||
*[[XML Signature Wrapping - Simple Context]] <br> The easiest to execute XML Signature Wrapping attack. This one was the very first XML Signature Wrapping attack, discovered in 2005 [http://portal.acm.org/citation.cfm?id=1103026]. The signed data is contained within the SOAP Body.<br><br> | *[[XML Signature Wrapping - Simple Context]] <br> The easiest to execute XML Signature Wrapping attack. This one was the very first XML Signature Wrapping attack, discovered in 2005 [http://portal.acm.org/citation.cfm?id=1103026][http://research.microsoft.com/en-us/um/people/fournet/papers/an-advisor-for-web-services-security-policies-sws05.pdf]. The signed data is contained within the SOAP Body.<br><br> | ||
*[[XML Signature Wrapping - Optional Element]] <br> A more evolved attack. The signed data is contained within the SOAP Header.<br><br> | *[[XML Signature Wrapping - Optional Element]] <br> A more evolved attack. The signed data is contained within the SOAP Header.<br><br> | ||
*[[XML Signature Wrapping - Optional Element in Security Header]] <br> A more evolved attack. The signed data is contained within the Security Header.<br><br> | *[[XML Signature Wrapping - Optional Element in Security Header]] <br> A more evolved attack. The signed data is contained within the Security Header.<br><br> |
Latest revision as of 11:38, 23 December 2015
Attack description
Web services offer designers enormous flexibility when it comes to employing integrity features. Usually in order to guarantee message integrity, certain predefined parts of the SOAP message get signed.
Lets assume that a web service client sends a signed message to the receiving web service. Ideally any malicious modification of the signed data is detected by the receiving web service unless the attacker is able to break the signature algorithm itself. However when executing a XML Signature Wrapping attack an attacker is able to change the content of the signed part without invalidating the signature.
This attack is also known as XML Rewriting attack.
NOTE: We just assume that both parties agreed in advance on what parts of the SOAP message have to be signed. How this agreement process is implemented isn't important for this attack ( However this process is important for the Metadata_Spoofing attack.)
Attack subtypes
There are various XML Signature Wrapping attacks. Due to their complexity a separate wiki page for each attack was created. The different XML Signature Wrapping attack subtypes are:
- XML Signature Wrapping - Simple Context
The easiest to execute XML Signature Wrapping attack. This one was the very first XML Signature Wrapping attack, discovered in 2005 [1][2]. The signed data is contained within the SOAP Body. - XML Signature Wrapping - Optional Element
A more evolved attack. The signed data is contained within the SOAP Header. - XML Signature Wrapping - Optional Element in Security Header
A more evolved attack. The signed data is contained within the Security Header. - XML Signature Wrapping - with Namespace Injection
The most complex of all signature wrapping attacks. The attack is performed by using an XML Namespace injection technique.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker knows that the web web service processes the security header and the "signature" element. If the web service doesn't "expect" a signed part, it just discards the signature and the attack doesn't work.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.
Graphical representation of attack
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Attack example
Due to attack complexity refer to each attack subtype!
Attack mitigation / countermeasures
Due to attack complexity refer to each attack subtype!
Attack categorisation
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Integrity
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
Due to attack complexity refer to each attack subtype!
- Attack Categorisation By Violated Security Objective Integrity
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: Signature Verification
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws