The WS-Address standard allows the addition of routing information to the SOAP Header, allowing asynchronous communication.
Three attack subtypes are defined:
- WS-Address spoofing - Generic
The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The <ReplyTo> element doesn't contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too.
- WS-Address spoofing - BPEL Rollback
This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a <ReplyTo> element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in <ReplyTo>. This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine.
In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result.
This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker knows that the web web service processes the security header and the "encryption" element and/or "signature" element. If the web service doesn't "expect" an encrypted part, it just discards the encryption and the attack doesn't work.
- Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.
Graphic representation of attack
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Example 1: An example for the WS-Address spoofing - Generic attack is pictured in Figure 2 and 3.Figures taken from . As shown in Figure 3, the attacker generates a response to a SOAP message the client never requested.
Figure 2: Regular SOAP traffic between WS client and WS server.
Figure 3: SOAP traffic from WS client to WS server never requested by WS client.
Example 2: Example 2 shows the architecture for a WS-Address spoofing - Middleware Hijacking attack. Figure taken from [Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.].
Figure 4: Architecture for the "WS-Address spoofing - Middleware Hijacking attack".
Attack mitigation / countermeasures
In order to prevent a WS-Address spoofing attack the caller's endpoint has to be verified before doing any further processing. This is especially important when SOAP messages are processed by a BPEL engine. However, up to now, there is no standardized way of doing this verification.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
"WS-Adress spoofing - BPEL Rollback" is filed under:
"WS-Adress spoofing - Middleware Hijacking" is filed under:
Categorisation by attack spreading
- Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.