1. Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May 2006 http://www.owasp.org/ Inline Approach for Secure SOAP Requests and Early Validation Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France {mohammad.ashiqur.rahaman,maarten.rits,andreas.sch aad}@sap.com +33 ( 0 )4 92 28 62 00

2. OWASP AppSec Europe 2006 2 Topics of the Presentation  Goals of this work  Today’s security mechanisms and Web Services Security  Realization of WS-Security Features  XML Rewriting Attacks  Conceptual solution and proposed technique  Performance evaluation  Conclusion and future work

3. OWASP AppSec Europe 2006 3 Goals of this work Explore and analyze WS-Security and related (e.g. WS- Policy, WS-SecurePolicy,..) specifications. Analyze the application of formal methods in WS-Security standards verification. Implement the integrity features of WS-Security into Johnson2. Explore XML rewriting attacks against web services. Realize the measures against these attacks and evaluate the performance of the state of the art approach against these attacks. Propose a scheme to detect these attacks in an efficient way. To analyze the work that has been done in Web Service security and related area and to be able to find out the drawbacks, vulnerabilities and remedy against security attacks.

4. OWASP AppSec Europe 2006 4 Today’s security mechanisms Limitations: Not granular enough se it. Inflexible about routing. No chance for auditing what’s going on. Can’t avoid repudiation. HTTP might not be the only transport that is used now a day. Request -er of a service Interm- ediary Web service Security Context Figure : Point-to-point Configuration Secure Socket Layer (SSL) along with the de facto Transport Layer Security (TLS) provides transport level security for web services applications.

5. OWASP AppSec Europe 2006 5 What do we need in Web service security?  Point of interaction is more “over the internet”. Interaction between partners with no previously established relationship. Program to program interaction. More dynamic interaction. We need fine grained signature and encryption. Request- er of a service Interme -diary Web service Figure : End-to-End Configuration Security Context WS-Security along with some other standards like WS-Policy address these issues. We need Message Level Security for web services because:

6. OWASP AppSec Europe 2006 6  Realization of WS-Security and Related standards

7. OWASP AppSec Europe 2006 7 Architecture of Web Services Security WS-Policy describes the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms) WS-SecureConversation describes how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys Requester Web Service Security Token Service Policy Security Token Claims Policy Security Token Claims Security Token Claims WS-Security how to attach signature and encryption headers to SOAP messages how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages WS-Trust describes a framework for trust models that enables Web services to securely interoperate

8. OWASP AppSec Europe 2006 8 “Alice" "mTbzQM84RkFqza+lIes/xw==" "2004-09-01T13:31:50Z" "U9sBHidIkVvKA4vZo0gGKxMhA1g=“ "8/ohMBZ5JwzYyu+POU/v879R01s=" “SAP" "ORACLE" UsernameToken assumes both parties know Alice’s secret password p Securing SOAP Messages using WS-Security Each DigestValue is a cryptographic hash of the URI target hmacsha1(key, SignedInfo) where key  psha1(p+nonce+created) header defined by OASIS WS-Security includes identity tokens, signatures, encrypted message parts “SAP" “ORACLE" Soap Message to send Soap Message after addition of Security Header N.B All the SOAP messages here eliding some headers, all namespaces, and abbreviating long strings for brevity.

9. OWASP AppSec Europe 2006 9 Message flow using WS*Standards 3.Sending to Policy Module 4. Sign/Encrypt & send SOAP message to web service Web Service Requester Web Service Provider Security Token service 2. Get tokens to add to SOAP messages 7. Receive response from Web Service Figure: Typical message flow between web services using WS-Security Incorporating WS-Policy in SOAP 6. Validate tokens Checking SOAP according to WS- Policy 5.Enforcing WS-Policy 1. Request for tokens

10. OWASP AppSec Europe 2006 10  XML Rewriting Attacks

11. OWASP AppSec Europe 2006 11 A XML Rewriting Attack From: Rahim To: Bookshop Action: “Buy Jabbar’s book” (signed by Rahim) Rahim’s mobile Online Book shop (Web Service) Attacker Sent: Monday From: Rahim To: Bank Action: “Pay Charlie $20” (signed by Rahim) Sent: Tuesday From: Rahim To: Bank Action: “Buy Charlie’s book” (signed by Rahim) Sent: Wednesday From: Rahim To: Bookshop Action: “Buy Jabbar’s book” (signed by Rahim) Attacker may update and replay envelopes to confuse Book Shop XML Rewriting attack is a general name to a class of attacks (e.g. Replay, man-in-middle, redirection, and dictionary) on SOAP messages.

12. OWASP AppSec Europe 2006 12 A Signed SOAP Message Before... Rahim cGxr8w2AnBUzuhLzDYDoVw== 2003-02-04T16:49:45Z Ego0... vSB9JU/Wr8ykpAlaxCx2KdvjZcc= Karim 1000 Message to bank’s web service says: “Transfer $1000 to karim, signed by Rahim” Bank can verify the signature that has been computed using key derived from Rahim’s secret password N.B All the SOAP messages here eliding some headers, all namespaces, and abbreviating long strings for brevity.

13. OWASP AppSec Europe 2006 13 and After an XML Rewriting Attack Rahim cGxr8w2AnBUzuhLzDYDoVw== 2003-02-04T16:49:45Z Ego0... vSB9JU/Wr8ykpAlaxCx2KdvjZcc= Although Rahim’s password has not been broken, the message now reads “Transfer $5000 to Charlie, signed Rahim” Charlie(Attacker) has intercepted and rewritten this message The indirect signature of the body, now hidden in BogusHeader, may still appear valid N.B All the SOAP messages here eliding some headers, all namespaces, and abbreviating long strings for brevity. Karim 1000 Charlie 5000

14. OWASP AppSec Europe 2006 14  Conceptual Solution and Proposed Technique

15. OWASP AppSec Europe 2006 15 Conceptual solution against XML rewriting attacks  After carefully observing the rewriting attacks the following things are obvious: All attacks are some kind of modification of SOAP message. The intended predecessor or successor relationship of the SOAP element is lost consequently. The number of predecessor, successor, and sibling elements of a SOAP element where the unexpected modification occurs is changed and thus the expected hierarchy of the element is modified as well. We capture these observations in a new header, we call it SOAP Account

16. OWASP AppSec Europe 2006 16 SOAP Account Number Of Child Elements of Envelope Number Of Header Elements in SOAP Header Successor And Predecessor Relationship of Each Signed Object Number Of References in each signature Element Parent Element Sibling Elements Sucessor And Predecessor Relationship Extentsion For Future Figure : SOAP Account At the time of sending SOAP message we can always keep an account of SOAP elements by including SOAP Account into the message: Number of child elements of root. Number of header elements. Number of references for signing element. Predecessor, successor, and sibling relationship of the signed object. ………. The sender must sign the SOAP Account Information. SOAP Structure/Account keeps the record of a SOAP message’s structure of elements.

17. OWASP AppSec Europe 2006 17 Message flow in proposed technique 7.Enforcing WS-Policy 5. Sending signed message with SOAP Account Information 3.Sending to Policy Module 6. Received SOAP message Web Service Requester Web Service Provider Security Token service 2. Get tokens to add to SOAP messages 4. Sending SOAP message to SOAPAccount module 9. Receive response from Web Service Figure: Message flow using new approach between web services Adding SOAP Account Info Validating SOAP Account Info Incorpor-ating WS-Policy in SOAP Checking SOAP according to WS- Policy 1. Request for tokens 8. Validate tokens

18. OWASP AppSec Europe 2006 18 A SOAP message after adding SOAP Account ………… Alice cGxr8w2AnBUzuhLzDYDoVw== 2003-02-04T16:49:45Z Ego0... Qser99... OUytt0... vSB9JU/Wr8ykpAlaxCx2KdvjZcc= 2 Bob 1000 Message to bank’s web service says:”Transfer 1000 euro to Bob,signed Alice” Verifying signature using key derived from Alice’s secret password

19. OWASP AppSec Europe 2006 19 A SOAP request after an attempt to attack (Excerpt) ……………. Alice cGxr8w2AnBUzuhLzDYDoVw== 2003-02-04T16:49:45Z Ego0... Qser99... OUytt0... vSB9JU/Wr8ykpAlaxCx2KdvjZcc= 2 Bob 1000 Bob 5000 Attacker has intercepted the message This reference is not valid anymore because No of header is not 2. After attack it is 3 Attacker has added a BogusHeader & included the Body Amount has been changed to 5000 by the attacker

20. OWASP AppSec Europe 2006 20 Inline approach and Efficiency  Inline Approach SOAP Account information are computed while creating the SOAP message itself. We use popular XML package model like DOM in the sending and receiving application. Validation of this SOAP Account is done while receiving the SOAP message in the receiving application.  Since we can compute SOAP Account while creating the message & do not incur any considerable overheads, we call this approach as inline.  Efficiency  in Inline approach we consciously avoid the XML processing, in particular XML canonicalization, while validating SOAP Account in the SOAP message.

21. OWASP AppSec Europe 2006 21 Performance Evaluation  We evaluate the performance of detecting XML Rewriting Attacks using SOAP Account in the SOAP message. We simulate few XML Rewriting Attack scenarios in Java. Service requester and provider are designed using JWSDP 1.6. We simulate an attacker to generate the attacks.  Evaluation Environment Executed with Sun’s jdk1.5.0_06, for windows. We use XWS Security Framework of JWSDP 1.6 package for WS-Security features as a comparable message level security implementation. Using a PC with Mobile Intel(R) Pentium(R) 4, 2.80GHz Processor and 512 MB RAM, running on Microsoft Windows XP Professional.

22. OWASP AppSec Europe 2006 22 Performance Evaluation-Two Considering the fact of being not enough for profiling Java code of using System.currentTimeMillis(), we use further a library called “hrtlib.jar” to get another result in the following Figure. This library is simple and it uses a Java Native Interface (JNI) implementation to return a fractional number of milliseconds elapsed since some undetermined moment in the past. This time using SOAP Account we get 4 times better performance than Policy driven solution.

23. OWASP AppSec Europe 2006 23 Conclusion SOAP Structure/Account information has been ignored in detecting XML rewriting attacks so far. The SOAP Account can be incorporated in WS-Security. We can even use it in any standalone web service which may be subject to XML rewriting attacks. It is not an attempt to replace policy based validation; rather it is designed to be an alternative that can be used when performance is an issue in detecting XML rewriting attacks.

24. OWASP AppSec Europe 2006 24 Future work How SOAP Account information can be used for securing a session of message exchange could be a future research topic. WS-SecureConversation addresses this issue introducing security contexts, which can be used to secure sessions between two parties. We have used only the XWS-Security Framework as a comparable message level security implementation and have drawn some comparisons of WSE implementation with our technique. It would be interesting to see how the performance scales regarding other implementation frameworks of message level security.