Passive WS-MITM

From WS-Attacks.org
Revision as of 04:32, 26 July 2010 by Cl admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Attack description

Passive WS-MITM (passive Web Service - Man in the middle) attacks describe attacks where an attacker reads the data send between web service client and web service receiver; gaining access to information not intended for him and therefore violating the security objective "Confidentiality".

Since web services usually rely on the classical internet technologies like TCP/IP all known MITM attack tools and techniques can be used by an attacker. Refer to [1] for a list of various tools.

However with web services a new potential attacker position is introduced. A web service request passes through an arbitrary number of intermediary web services before it reaches its destination. If only one of these intermediaries is under the control of the attacker, the attacker is able to read the soap request.

The attack is also known as Message Sniffing and Message Snooping


Attack subtypes

No attack subtypes are defined.


Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following thinks:

  1. Attacker has access to an intermediary web service that relays messages between the attacked web service client and server.


Graphical representation of attack

In this case the attacker is in control of the intermediary that sits between the attacked server and client. Both web service client and server are effected by the attack, since the attacker is usually able to read the request and the response. AttackedComponent Intermediary.png

  • Red = attacked web service
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

No attack example available.


Attack mitigation / countermeasures

Make use of cryptography for confidential data. In that case a Message Sniffing attack has no effect at all, since the only information the attacker gains is that a message was sent.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading


References

  1. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
Personal tools