Presentation is loading. Please wait.

Presentation is loading. Please wait.

XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813.

Published byBella Brann Modified over 9 years ago

Similar presentations

Presentation on theme: "XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813."— Presentation transcript:

1 XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813

2 Introduction SOA, SOAP messages, XML signature. XML Rewrite Attacks XML rewrite attacks scenarios, available solutions, recommended solution References Outlines Presentation figures are from references given on slides 15 & 16.

3 SOA ( Services Oriented Architecture ) - Architecture style to build the system as a group of web services. - Group of rules for service encapsulation, modularity, reusability and loose coupling. SOAP (Simple Object Access Protocol ) - XML-based protocol to define the structure of exchanged messages. - Can be used with different underlying protocols, such as HTTP. Introduction

4 SOAP Messages: : The root element. Contains two elements: - element: (optional) Contains information that will be processed by SOAP nodes during transmission. - element: (mandatory) Contains call and response information. Introduction ( Source: Wikipedia )

5 XML signature : - Digital signature used to provide authentication and integrity for SOAP messages. - Applied to specific parts of the SOAP message or the whole message. - It refers to the signed object without any further information about its location Introduction ( Source: [5], from references given on slides 15 & 16 )

6 XML rewrite attacks : Adding new elements to the SOAP header without compromising the contents of the message. A.Redirection attack: - The attacker inserts a new element into the message’s header to direct the message to other addresses. XML Rewrite Attacks

7 SOAP message after XML rewrite attack: XML Rewrite Attacks ( Source: [6], from references given on slides 15 & 16 )

8 B.Replay Attack: XML Rewrite Attacks

9 SOAP message after XML rewrite attack: ( Source: [5], from references given on slides 15 & 16 )

10 The Available Solutions:- 1- The formal solution : - Create new context- sensitive signature (CSS), to use in place of the regular context-free signature (CFS). - Generate context to allow the context of the signed elements to be captured at the same time as signing. - The limitation: The context of the signed message can be lost in some situations, when the context in the reference element of the signature must be stored before signing. XML Rewrite Attacks

11 2-The Inline Approach (SOAP Accounts) :- - Adding a new element called SOAP account to the header of the outgoing SOAP message. - SOAP account records the element structure information of the SOAP message. XML Rewrite Attacks ( Source: [3] )

12 The limitations:- In this solution all the parent elements of signed elements are not uniquely identified. SOAP account itself is vulnerable for some types of rewrite attack. The numbers of SOAP account elements are not specified and cannot be fixed. This solution does not detect the replay attack. XML Rewrite Attacks

13 To avoid SOAP Account vulnerability there are three recommendations: To prevent the attacker from creating a fake header to wrap elements, more information about the depth of each signed element should be stored. We have to store information for the parent for each signed element. The element's parent should be uniquely identified. This will help detect fake elements inserted by an attacker XML Rewrite Attacks

14 1.Mohammad Ashiqur Rahaman, Andreas Schaad, and Maarten Rits. 2006. Towards secure SOAP message exchange in a SOA. In Proceedings of the 3rd ACM workshop on Secure web services (SWS '06). ACM, New York, NY, USA, 77-84. 2.Michael McIntosh and Paula Austel. 2005. XML signature element wrapping attacks and countermeasures. In Proceedings of the 2005 workshop on Secure web services (SWS '05). ACM, New York, NY, USA, 20-27. 3.M. A. Rahaman, R. Marten, and A. Schaad. An inline approach for secure soap requests and early validation. OWASP AppSec Europe, 2006. 4.Mike P. Papazoglou and Willem-Jan Heuvel. 2007. Service oriented architectures: approaches, technologies and research issues. The VLDB Journal 16, 3 (July 2007), 389-415. 5.Smriti Kumar Sinha and Azzedine Benameur. 2008. A formal solution to rewriting attacks on SOAP messages. In Proceedings of the 2008 ACM workshop on Secure web services (SWS '08). ACM, New York, NY, USA, 53-60. References

15 6.S. Fenet, A. Benameur and F. A. Kadir, “XML Rewriting Attacks: Existing Solutions and their Limitations”, Proceeding of the International Conference on Applied Computing, (2008) April; Algavre, Portugal. 7.S. Gajek, M. Jensen, L. Liao, and J. Schwenk, "Analysis of signature wrapping attacks and countermeasures," in ICWS, 2009, pp. 575-582. 8.SOAP Security Extensions: Digital Signature http://www.w3.org/TR/SOAP- dsig/#XML-Signature. 2/25/2014. 9.IBM Software Information Center, CICS Transaction Server for z/OS http://publib.boulder.ibm.com/infocenter/cicsts/v3r1/index.jsp?topic=%2Fcom.ibm.cics.ts31.doc%2Fdfhws%2Fconcepts%2Fsoa%2Fdfhws_message.h tm. 3/09/2014. 10.Web Services Security: What’s Required To Secure A Service-Oriented Architecture http://www.oracle.com/us/products/middleware/identity- management/059410.pdf. 3/2/2014. 11.Faisal Abdul Kadir,”RewritingHealer: An approach for securing web service communication”, KTH Royal Institute Of Technology, 2007. References

16 Any Questions?

Download ppt "XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813."

Similar presentations

Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
31242/32549 Advanced Internet Programming Advanced Java Programming

31242/32549 Advanced Internet Programming Advanced Java Programming
SOAP.

SOAP.
CIS 375—Web App Dev II SOAP.

CIS 375—Web App Dev II SOAP.
SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.
SOAP Quang Vinh Pham Simon De Baets Université Libre de Bruxelles1.

SOAP Quang Vinh Pham Simon De Baets Université Libre de Bruxelles1.
TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.
Reliability on Web Services Presented by Pat Chan 17/10/2005.

Reliability on Web Services Presented by Pat Chan 17/10/2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Introduction to Service-Oriented Architecture. Outline Definition Features Examples of SOA Web Service Standards Example Pros and Cons Integration with.

Introduction to Service-Oriented Architecture. Outline Definition Features Examples of SOA Web Service Standards Example Pros and Cons Integration with.
 SOA is not a newly invented concept  It brings together existing concepts and practices  Distributed in a network through interfaces  Utilized by.

 SOA is not a newly invented concept  It brings together existing concepts and practices  Distributed in a network through interfaces  Utilized by.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.

Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
2006 IEEE International Conference on Web Services ICWS 2006 Overview.

2006 IEEE International Conference on Web Services ICWS 2006 Overview.
Software – Part 3 V.T. Raja, Ph.D., Information Management College of Business Oregon State University.

Software – Part 3 V.T. Raja, Ph.D., Information Management College of Business Oregon State University.
Web services security I

Web services security I

Similar presentations

Ads by Google