Difference between revisions of "XML Signature Exclusion"

From WS-Attacks
Jump to: navigation, search
(Created page with "=Attack description= =Attack subtypes= There are no attack subtypes for this attack. =Prerequisites for attack= In order to execute the attack, there are the following pre...")
m (1 revision imported: Import from WS-Attacks)
(No difference)

Revision as of 12:26, 31 October 2015

Attack description

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order to execute the attack, there are the following prerequisites:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker can reach endpoint from its location.
  3. Attacker is in possession of a validly signed XML message or he is in possession of a valid public certificate and can construct a valid message with a missing XML Signature.

Graphical representation of attack

AttackedComponent Signature.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.

Attack example

Practical attacks were shown by Somorovsky et al.[1], who showed how to attack cloud interfaces of Amazon and Eucalyptus cloud providers. This enabled them to execute arbitrary methods on cloud interfaces.

Attack mitigation / countermeasures

Attack categorisation

Categorisation by violated security objective

Categorisation by number of involved parties

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


  1. Juraj So­mo­rovs­ky, Mario Hei­de­rich, Meiko Jen­sen, Jörg Schwenk, Nils Grusch­ka, Luigi Lo Ia­co­no. All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Ma­nage­ment In­ter­faces. In Pro­cee­dings of the ACM Cloud Com­pu­ting Se­cu­ri­ty Work­shop (CCSW), 2011. https://www.nds.rub.de/research/publications/amazon-hacking/
  2. Juraj Somorovsky. On the In­se­cu­ri­ty of XML Se­cu­ri­ty. PhD thesis supervised by Jörg Schwenk and Kenny Paterson, Ruhr University Bochum. https://www.nds.rub.de/research/publications/xmlinsecurity/