XML Signature Wrapping

From WS-Attacks
Revision as of 12:26, 31 October 2015 by Jln7bp (talk | contribs) (1 revision imported: Import from WS-Attacks)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Attack description

Web services offer designers enormous flexibility when it comes to employing integrity features. Usually in order to guarantee message integrity, certain predefined parts of the SOAP message get signed.

Lets assume that a web service client sends a signed message to the receiving web service. Ideally any malicious modification of the signed data is detected by the receiving web service unless the attacker is able to break the signature algorithm itself. However when executing a XML Signature Wrapping attack an attacker is able to change the content of the signed part without invalidating the signature.

This attack is also known as XML Rewriting attack.

NOTE: We just assume that both parties agreed in advance on what parts of the SOAP message have to be signed. How this agreement process is implemented isn't important for this attack ( However this process is important for the Metadata_Spoofing attack.)

Attack subtypes

There are various XML Signature Wrapping attacks. Due to their complexity a separate wiki page for each attack was created. The different XML Signature Wrapping attack subtypes are:

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker knows that the web web service processes the security header and the "signature" element. If the web service doesn't "expect" a signed part, it just discards the signature and the attack doesn't work.
  3. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

AttackedComponent Signature.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.

Attack example

Due to attack complexity refer to each attack subtype!

Attack mitigation / countermeasures

Due to attack complexity refer to each attack subtype!

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

Categorisation by number of involved parties

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


Due to attack complexity refer to each attack subtype!