Oversize Payload. SOAPAction Spoofing Metadata Spoofing Attack Obfuscation. BPEL State Deviation Signature Wrapping with Namespace Injection

Size: px

Start display at page:

Download "Oversize Payload. SOAPAction Spoofing Metadata Spoofing Attack Obfuscation. BPEL State Deviation Signature Wrapping with Namespace Injection"

Patrick Holland
6 years ago
Views:

1 XML- und Web-Service-Sicherheit Attacking Web Services

2 Overview Oversize Payload Coercive Parsing SOAPAction Spoofing Metadata Spoofing Attack Obfuscation WS-Addressing Spoofing BPEL State Deviation Signature Wrapping with Namespace Injection

3 Attacks on Web Services Oversize Payload

4 Oversize Payload Attack Concept: <Envelope> <Header /> <Body> <calculatebill> <item>3.98</item> <item>999.99</item> <item>999.99</item> <item>1.99</item> <item>999.99</item> <item>16.99</item> <item>999.99</item> <item>23.95</item> </calculatebill> <item>999.99</item> </Body> <item>999.99</item> </Envelope> <item>999.99</item> <item>999.99</item> WSDL schema description: <item>999.99</item> <item>999.99</item> <element name="item" type="xsd:float" maxoccurs="unbounded" />

5 Oversize Payload Experiment Results: Attack Name: Attack Type: Target Framework: Axis 1.4 Attack Message Size: 18MB 1.8 Impact on Memory: Impact on CPU: Oversize Payload Denial of Service 50 MB 100 % for >1 min

6 Oversize Payload Experiment Results: Attack Name: Attack Type: Target Framework: Axis 1.4 Attack Message Size: 18MB 1.8 Impact on Memory: Oversize Payload Denial of Service 50 MB Impact on CPU: 100 % for >1 min Scale factor (Memory): 28

7 Attacks on Web Services Coercive Parsing

8 Coercive Parsing Attack Concept: <Envelope> <Header /> <Body> <visualize> <node> <node> <node> <leaf /> <leaf <node> /> </node> <node> <node> <leaf /> </node> </node> </visualize> </Body> </Envelope> WSDL schema description: <element name="node"> <complextype> <choice> <element ref="node" /> <element name="leaf" /> </choice> </complextype> </element> -8-

9 Coercive Parsing Experiment Results: Attack Name: Target Framework: Number of Attack Messages: 1 Coercive Parsing Axis2 Attack Message Size: Endlessly l continuable Impact on CPU: 100% while the attack continued Network transmission rate: 150 Byte per second -9-

10 Attacks on Web Services SOAPAction Spoofing

11 SOAPAction Spoofing Attack Concept: POST /service HTTP/1.1 Host: myhost SOAPAction: "createuser" <Envelope> p <Header /> <Body> <createuser> <login>johndoe</login> <pwd>secret</pwd> </createuser> </Body> </Envelope>

12 SOAPAction Spoofing Attack Concept: POST /service HTTP/1.1 Host: myhost SOAPAction: "deleteallusers" <Envelope> p <Header /> <Body> <createuser> <login>johndoe</login> <pwd>secret</pwd> </createuser> </Body> </Envelope>

13 SOAPAction Spoofing Axis2 impact: HTTP SOAPAction: A SOAP Operation: B HTTP Firewall Axis2 Web Service Server Allow: A Reject: B

14 SOAPAction Spoofing.NET impact: HTTP SOAPAction: A SOAP Operation: B.NET Web Service Server

15 Attacks on Security-enabled Web Services Metadata Spoofing

16 Metadata Spoofing Attacker Web Service Client Network (e.g. Internet) Web Service Server WSDL WS- Security Policy

17 Metadata Spoofing Attacker WSDL WS- Security Policy Web Service Client Network (e.g. Internet) Web Service Server

18 Metadata Spoofing - Spoofed WSDL: Change endpoint URL Man-in-the-middle scenario Change message schema Add/remove/change/fake operations Attach spoofed WS-SecurityPolicy Modify security assertions - Spoofed WS-SecurityPolicy: Change cryptographic algorithms to use Encryption becomes breakable Remove security assertions Eavesdropping and data modification

19 Attacks on Security-enabled Web Services Attack Obfuscation

20 Attack Obfuscation Attack Concept: <Envelope> <Header /> <Body> <calculatebill> <item>3.98</item> <item>1.99</item> <item>16.99</item> <item>23.95</item> </calculatebill> </Body> </Envelope> WS-SecurityPolicy assertion: <sp:encryptedelements> <sp:xpath> /Envelope/Body/calculateBill </sp:xpath> </sp:encryptedelements>

21 Attack Obfuscation Attack Concept: <Envelope> <Header > <Security> </Security> </Header> <Body> <EncryptedData> AhZlDtzQWr4Df5T Iop6n78FghDweD </EncryptedData> PsEEd53HgfVsd3 </Body> 2WEdRTZdGJKiK </Envelope> ertsghz674sftgi

22 Attack Obfuscation Experiment Results: Attack Name: Attack Type: Target Framework: Attack Message Size: 1 MB Impact on Memory: Attack Obfuscation Denial of Service Rampart Axis2 90 MB Impact on CPU: 100 % for 23 sec Scale factor (Memory): 90

23 WS-Addressing Spoofing

24 WS-Addressing Spoofing SOAP Web Service Client Network (e.g. Internet) Web Service Server

25 WS-Addressing Spoofing SOAP ReplyTo <Envelope> <Header > <ReplyTo> <Address> t </Address> </ReplyTo> </Header> <Body> Web Service Client Network (e.g. Internet) Web Service Server SOAP

26 WS-Addressing Spoofing Attacker SOAP ReplyTo Web Service Client <Envelope> <Header > <ReplyTo> <Address> Network (e.g. </Address> Internet) </ReplyTo> </Header> <Body> SOAP Web Service Server

27 Attacks on Web Service Compositions BPEL State Deviation

28 BPEL State Deviation <process> <sequence> <receive operation="init_election" /> <receive operation="set_candidates" /> <receive operation="set_number_of_voters" number of /> <while condition="voting_not_complete()"> <receive operation="vote" /> </while> <invoke operation="announce_winner" /> </sequence> </process> init_election set_candidates set_number of_voters vote BPEL Engine

29 BPEL State Deviation 1 init_election 2 set_candidates 7 3 set_number of_voters vote BPEL Engine

30 BPEL State Deviation Experiment Results: Attack Name: Attack Type: BPEL State Deviation Denial of Service Target Framework: Oracle BPEL Process Manager 10.1 Attack Message Size: Byte = 0.5 MB Impact on Memory: 350 MB Impact on CPU: 100 % for 2 hours Scale Factor (Memory): 700

31 Attacks on Web Service Compositions Signature Wrapping with Namespace Injection

32 Signature Wrapping with Namespace Injection soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

33 Signature Wrapping with Namespace Injection soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

34 Signature Wrapping with Namespace Injection soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

35 Signature Wrapping with Namespace Injection soap:envelope soap:header wss:security ds:signature ds:signedinfo ds:reference soap= op= cc= wss= ds= dsx= soap:body op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

36 Signature Wrapping with Namespace Injection op= soap:envelope soap:header op= soap:body XX= wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Mr. Evil Hacka XX:payTop y op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

37 Signature Wrapping with Namespace Injection op= soap:envelope soap:header op= soap:body XX= wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Mr. Evil Hacka XX:payTop y op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

38 Signature Wrapping with Namespace Injection op= soap:envelope soap:header op= soap:body XX= wss:security ds:signature ds:signedinfo ds:reference op:payto pp op:name cc:creditcard Mr. Evil Hacka XX:payTop y op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

39 Signature Wrapping with Namespace Injection By mapping the same namespace prefix to different namespace urls at certain positions within an XML document, an attacker can inject contents t that are processed as if they were signed.

40 Signature Wrapping with Namespace Injection soap:envelope soap:header wss:security ds:signature ds:signedinfo ds:reference soap= op= cc= wss= ds= dsx= soap:body op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

41 Signature Wrapping with Namespace Injection soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:reference ds:transforms ds:transform soap= p p op= cc= wss= ds= i dsx= op:name op:payto pp cc:creditcard Ms. Jane Doe soap= op= cc= wss= ds= dsx= dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

42 Signature Wrapping with Namespace Injection soap:header soap:envelope InclusiveCanonicalization soap:body wss:security ds:signature ds:signedinfo ds:reference ds:transforms ds:transform soap= p p op= cc= wss= ds= i dsx= op:name op:payto pp cc:creditcard Ms. Jane Doe soap= op= cc= wss= ds= dsx= dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

43 Signature Wrapping with Namespace Injection soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:reference ds:transforms ds:transform soap= p p op= cc= wss= ds= i dsx= op:name op:payto pp cc:creditcard Ms. Jane Doe soap= op= cc= wss= ds= dsx= dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

44 Signature Wrapping with Namespace Injection soap:header soap:envelope ExclusiveCanonicalization soap:body wss:security ds:signature ds:signedinfo ds:reference ds:transforms ds= g g dsx= op:payto pp op:name cc:creditcard Ms. Jane Doe cc= ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

45 Signature Wrapping with Namespace Injection wss:security ds:signature ds:signedinfo ds:reference ds:transforms ds:transform soap:header soap:envelope ExclusiveCanonicalization soap:body Visibly Utilized: An element E in a document subset visibly utilizes a namespace declaration, i.e. a namespace op:name prefix P and bound value V, if E or an attribute node in the document ds= g g subset dsx= with parent E has a qualified name in which P is the namespace prefix. op:payto pp cc:creditcard Ms. Jane Doe cc= dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

46 Signature Wrapping with Namespace Injection soap:header soap:envelope ExclusiveCanonicalization soap:body wss:security ds:signature ds:signedinfo Ms. ds:referenced R f ds= g g dsx= op:payto pp op:name cc:creditcard Jane Doe ds:transforms Not protected by the XML Signature! ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

47 Signature Wrapping with Namespace Injection op= soap:envelope soap:header soap:body wss:security ds:signature ds:signedinfo ds:referenced R f op= ds= g g dsx= op:payto pp op:name cc:creditcard Ms. Jane Doe ds:transforms Not protected by the XML Signature! ds:transform dsx:xpath /soap:envelope/soap:body/op:payto/cc:creditcard

48 XML- und Web-Service-Sicherheit Schöne Semesterferien!

Eine zustandsbehaftete Web Service Firewall für BPEL

Eine zustandsbehaftete Web Service Firewall für BPEL SPRING2 2007 Dortmund Nils Gruschka, Meiko Jensen, Norbert Luttenberger Arbeitsgruppe Kommunikationssysteme Institut für Informatik Christian-Albrechts-Universität