Before a web service client can communicate with other web services, the web service client has to retrieve information on how to invoke the the desired web service. That means data such as web service address, message format, required parameters or security requirements. All of this data is found in the metadata documents provided by the invoked web services server. The most common meta data documents are:
- WSDL file[
When an attacker is able to maliciously alter these documents and spread them across web service clients, this attack is called Metadata Spoofing or Schema Poisoning.
The most common spoofing attacks are:
- WSDL Spoofing
Maliciously changing the content of the WSDL file. This attack is also known as WSDL Parameter Tampering.
- WS Security Policy Spoofing
Maliciously changing the content of the WSDL file. This usually aims at lowering the security requirements of an web service. I.e. the information that certain message data is required to be encrypted just gets removed, resulting in an unencrypted communication between web services, enabling the attacker to read the message content.
Prerequisites for attack
In order for this attack to work the attack has to have knowledge about the following thinks:
- Attacker has access to the documents he wants to spoof.
- Attacker is able to spread the spoof documents across web service clients that want to invoke the attacked web service.
Graphical representation of attack
The attack is executed on the web service client. The web service intended to be invoked by the attacked web service client doesn't even have to be vulnerable to any attack.
We just assume that an attacker is able to spoof the metadata documents of the web service the client wants to invoke. For an attacker three scenarios are possible in order to achieve his goal
- Swapping of the original file on the attacked web service server with the spoofed file.
- MITM scenarios, where an attacker alters the document in traffic, while the client retrieves the metadata document from the web services server.
- The attacker swaps the file on the local machine of the web service client. Local access on the clients machine is required.
In this scenario the reciving web service and the executed operation on the web service are as specified by the attacker in the spoofed document.
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Listing 1 contains a WSDL example  with a network address. Therefore all requests get forwarded to the web service located at the new network address specified by the attacker.
<!-- excerpt of WSDL FILE [http://www.w3.org/2001/03/14-annotated-WSDL-examples.html]--> <!-- wsdl:service names a new service "StockQuoteService" --> <wsdl:service name="StockQuoteService"> <wsdl:documentation>My first service</documentation> <!-- connect it to the binding "StockQuoteBinding" above --> <wsdl:port name="StockQuotePort" binding="tns:StockQuoteBinding"> <!-- give the binding an network address --> <!-- THE LOCATION WAS CHANGED FROM examples.com to ATTACK.com --> <soap:address location="http://ATTACK.com/stockquote"/> </wsdl:port> </wsdl:service> </wsdl:definitions>
Listing 1: Modified WSDL Document
Attack mitigation / countermeasures
As an web service client, it is important to check all metadata documents for authenticity prior to employing them. Up to now, no standardised method is defined to check for authenticity. Therefore web service developers still have to define proprietary solutions like signing of the metadata documents.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
- Meiko Jensen.Attacking webservices. http://www.nds.rub.de/media/nds/downloads/ws0910/AttackingWebServices.pdf, 2010. Accessed 01 July 2010.