-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
1/121
Copyright 2007 - The OWASP FoundationPermission is granted to copy, distriute and!or modi"y this documentunder the terms o" the Creati#e Commons Attriution-ShareA$i%e 2&'(icense& To #ie) this $icense, #isithttp*!!creati#ecommons&org!$icenses!y-sa!2&'!
The OWASPFoundation
OWASP &WASC
AppSec2007
ConferenceSan +ose o#
2007
http*!!)))&o)asp&org!http*!!)))&)eappsec&org!
Attacking XML Securit
!rad "i##
Principa$ Security Consu$tantrad.isecpartners&com
$
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
2/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Agenda
/ntroductionWho am /
Why care aout 1( Security
3o) do 1( 4igita$ Signatures )or%
3o) to ui$d a cross-p$at"orm )orm in
1(5
Can )e use this techno$ogy sa"e$y
2
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
3/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Specia# Thank' to*
A#e+ Sta,o' 6 Scott Stender, iSC Partners Attacking Web Services: The Next Generation of VulnerableEnterprise Apps
http*!!isecpartners&com!8$es!iSC-Attac%ing-We-Ser#ices&SyScan&pd"
-an .a,in'k o" 4o9Para 6 /OActi#e
-r/ Laurence !u## o" onash :ni#ersity, Austra$ia
-r/ !rian LaMacchia o" icroso"t Corporation
Andrea' une'ta,,e''e !urn', Chri' C#ark and Chri'Pa#,er o" iSC Partners
http://isecpartners.com/files/iSEC-Attacking-Web-Services.SyScan.pdfhttp://isecpartners.com/files/iSEC-Attacking-Web-Services.SyScan.pdfhttp://isecpartners.com/files/iSEC-Attacking-Web-Services.SyScan.pdfhttp://isecpartners.com/files/iSEC-Attacking-Web-Services.SyScan.pdf -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
4/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
1ntroduction
Who am /
Principa$ Security Consu$tant "or iSC Partners
App$ication security consu$tants andresearchers
;ased in San Francisco and Seatt$e, :SA
To get the $atest #ersion o" these s$ides* https*!!)))&isecpartners&com!spea%ing&htm$
https://www.isecpartners.com/speaking.htmlhttps://www.isecpartners.com/speaking.html -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
5/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Wh care a3out XML Securit4
We Ser#ices ha#e gone mainstream*SOA 6 ;2; integrationWe Sing$e Sign On
And everbo!has 1( app$ications&/tP4igita$ identity systems
5
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
6/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
T6o ear' ago
A$e9 Stamos 6 Scott Stender o" iSCpresent*?Attacking Web Services:The e9t @eneration
o" u$nera$e nterprise App$icationsB
We Ser#ices can e scary*a$ua$e
isi$eu$nera$e
8
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
7/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
We3 Ser)ice app#ication9#e)e# attack'
The OWASP Top 0 sti$$ app$y to WeSer#ices
O$d Da)s $i%e SE( inection
And ne) Da)s $i%e 1( and 1Path inection
P$us comp$e9ity attac%s and denia$ o"ser#ices against 1( parsers andapp$ications
7
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
8/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Toda:' topic i' protoco#9#e)e# attack'
A$e9 6 Scott
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
9/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Wh XML-S1< & XML=(C4
For meG/ didn
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
10/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
!ui#ding an attack pro+
/ )anted a too$ $i%e WeScara or Fidd$er"or attac%ing We Ser#ices uti$iJing WS-Security&
First order o" usiness )as 89ing up 1(Signatures&
Then / "ound this in the interop #ectors)hi$e doing unit testing*
H er$in 3ughes, ;a$timore Techno$ogies, 2002I
$0
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
11/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
2>
5oo
4#
/0vvtdT9@AUnlBpC$*pAh*4s=
/0vvtdT9@AUnlBpC$*pAh*4s=
...
$$
http://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xslt-19991116http://example.org/foohttp://example.org/uspshttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/xml-stylesheethttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/Signature/2002/04/xml-stylesheet.b64http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/Signature/2002/04/xml-stylesheet.b64http://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/xml-stylesheethttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://example.org/uspshttp://example.org/foohttp://www.w3.org/TR/1999/REC-xslt-19991116http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsig -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
12/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
ETlEAhvvOte%PABh4CEE=
JD0Chd3&&*%5gINEB0%IpO=
JD0Chd3&&*%5gINEB0%IpO=
JD0Chd3&&*%5gINEB0%IpO=
LB%,8eO99th1+,h3&8Bs8=
...
$2
http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/TR/2001/REC-xml-c14n-20010315http://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsighttp://www.w3.org/2000/09/xmldsig -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
13/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
NvUJOJPMPvne$vvAU3)L8UT/p+AIE@3oIi/O1L==
the te&t.
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
14/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
,=e#lin C6ghesQDU=e)6#eQD=9ltio#e Te)hnologies Btd.QT=764linQ,=E
,=T#nsient ,OQDU=e)6#eQD=9ltio#e Te)hnologies Btd.QT=764linQ,=E
101AA88A0*8
7U7,,O&,gO9OgIOD*/g$sOLI9MI**9O4EBOLIO1UE9h,UU&
7O9g9OgT9L+1;&p4EL,IO1UE,h4PFsdIlt4JlF+l;$h64$&v$ll
)9dIP6+E7;7PPBEh;B1l;TE9IO1UEO&CJh4npN0E9
9*7TO7PTLFo7TE7P&TLo4EBOLIO1UE9h,UU&
7O9g9OgT9L+1;&p4EL,IO1UE,h4PFsdIlt4JlF+l;$h64$&v$ll
)9dIP6+E7;7PPBEh;B1l;TEN9PIO1UEO&TN4Il6Eh1$hl
),,O4)ggEs9g)MhLDDOP99CK9gP7d**,@M)TNl4/K,t$3tg6pDn doUig6A&9L$POhE5Np8i+0dKB&@JPB)D#)n0NlhhN0sl
8d,M$#t7CooB&4IT3MtOBE/vsP,LiBtIhAgPAMACT,hUg;1
Pet+O1s6sPOP9t9v&8%NM8T#A7318lOoI9OJ8e*NM&A&
;J$&/K0e10NnK7U+n@T%iFF4K+FElK7eot;D8#e+IL,@$@5iU
$4dNTT/B44L@0A3*DD&J/NB%I6;)DP)v*$&h*73CdM*dlt+$
O@Dd*8#p4*L*)i#1/$8LgO*IEOOK9gCC$K;oPECnMN+U67OI0E;/P
*6),/8+D;B/IKMOUF4vC$U&P7AInt;g;3&i,)%*i8#gNgA%%O
+;vADd@6e#/TlU*6@@&;v+o@sv*%l4JKe,@d3MeU1TL,4U+B
B5#7siUvhvooD7OD9gCP89O58E9O,9*OEP;7+0D9OoE,t;AE
lED9IO1UdPOMO,DI3L9$6KTOLI9MI**9O7BOBOUvT0$iP Pd*Npe09vsAI6,)s,F,E)Pp4U5n&FNiFP*%#NMn
7,,O6gO9OgIOD*/5JOLI9MI**9O4EBOLIO1UE9h,UU&
7O9g9OgT9L+1;&p4EL,IO1UE,h4PFsdIlt4JlF+l;$h64$&v$ll
)9dIP6+E7;7PPBEh;B1l;TE9IO1UEO&CJh4npN0E9
9*7TO7PTLo7TE7P&TLo4EBOLIO1UE9h,UU&
7O9g9OgT9L+1;&p4EL,IO1UE,h4PFsdIlt4JlF+l;$h64$&v$ll
)9dIP6+E7;7PPBEh;B1l;TE9IO1UEO&CJh4npN0E9
...
$
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
15/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
That:' no Crptographic 1ntegritPri,iti)e
/t
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
16/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
17/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
!ut not a #ot of pu3#ic attention et/
There ha#e een e9ce$$ent papers on se#era$ o" the WS-Ksecurity standards in the academic )or$d&
Worth searching the AC, Springer or / $iraries "or&
http*!!)))&Jurich&im&com!security!identities!
There are e#en "u$$ "orma$ proo"s o" some o" theseprotoco$s&
;ut they o"ten start )ith sentences $i%e* ?A''u,e thatthe participating co,puter' and the u'er:'3ro6'er Bare correct/B
$7
http://www.zurich.ibm.com/security/identities/http://www.zurich.ibm.com/security/identities/ -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
18/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
A for,a## correct ,echani', for putting 3urning #og' right in the ,idd#e of o
What the architect de'igned
$;
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
19/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Photo Credit: Jeff Leighton, Inspect-It 1stProperty Inspection. Used with permission.
What the re)ie6er 'o,eti,e' Bnd'*
$>
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
20/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Attack Surface Ana#'i'
Typica$ "or app$ications start )ith a threatmode$&
numerate a$$ the entry points, inter"acesand operations&
Which are anonymous$y accessi$eA#ai$a$e to authenticated users
AuthoriJed to a$$ users, administrators, or anindi#idua$ user
(oca$$y or remote$y accessi$e
Comp$e9ity o" inputs or operations,dependencies, assumptions&
20
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
21/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
3TTPS Ha it simp$i8edI
A BTLS Message1
Per9'e''ion ke e+change
LOn# X/50> certiBcate''upported a' ke'LMu#tip#e ,e''age' o)er'ing#e 'e''ionL(o pre'er)ation of e)idence
-icu#t to co,po'e 6ith re#ia3#e
de#i)erLOpaDue to inter,ediarie'LMe''age' on# protected in thechanne#LFor6ard 'ecrec 6ith -" kee+change
Channel privacy & integrity with KSESSION
SymmetricKSESSIONerive !r"m #$%' certs & () *ey e+change
Messagen
2$
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
22/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
EncryptKB
SignKC
WS-Security HOne o" "anpossii$ities&I
A BCM
SignKA
Mp1 Mp,
SignKA
(L-ura3#e 'ecuritLSe#ecti)e 'ecuritLMi+ed keEtoken tpe'LMi+ed ke e+change
)TT-
)TT-S
.MS
TC-
L1nter,ediate actor'LCo,po'a3#ea''ertion'LTran'port agno'tic KB
Kc
Mp/ Mp1 Mp,
22
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
23/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
2
3TTP
1(, SOAP, WS4(, Schema, WS-Addressing, etc&
1( 4igita$ Signatures
1( ncryption
SA( Mereros 1&'0N
Security To%en Pro8$es
WS-Trust
WS-Federation WS-SecureCon#ersation
WS-Po$icy
WS-SecurityPo$icy
WS-Security
&et TCP Channe$,Fast /n"oSet, etc&
WS-Actua$$y @et Some Wor% 4one
SS(
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
24/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
2
SS(
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
25/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
25
3TTP
1(, SOAP, WS4(, Schema, WS-Addressing, etc&
1( 4igita$ Signatures
1( ncryption
SA( Mereros 1&'0N
Security To%en Pro8$es
WS-Trust
WS-Federation WS-SecureCon#ersation
WS-Po$icy
WS-SecurityPo$icy
WS-Security
&et TCP Channe$,Fast /n"oSet, etc&
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
26/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
27/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Counter9intuiti)e 1ntegrit
(ots o" stu can change )ithoutin#a$idating the signature&
/mportant i" you
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
28/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
The Structure & Propertie' of XML
-igita# Signature'
2;
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
29/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
XMLG
P==)-2IfT/9h(1*Ce'l)'
L
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
30/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
!a'ic 'tructure of an XML-S1
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
40/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
A''u,ption $* Co,p#e+it & -oS
Standard' Co,,ittee*
?/t
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
41/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
A''u,ption $* Co,p#e+it & -oS
Securit9,inded de)e#oper*
?/ )ish 1( )ere $ess comp$e9, ut i" /"o$$o) est practices / can do it sa"e$y&B
4on
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
42/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
A''u,ption $* Co,p#e+it & -oS
A)erage -e)e#oper*
?/ authenticate my 1(
inputs )ith a signature no),so / don
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
43/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
C$( =ntit =+pan'ion Attack'
CQ
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
44/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
=+a,p#e =ntit =+pan'ion
This document e9pands to around 2 @; )hen parsed*
DOCTYPE foo
ENTITY & F,G'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
45/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
C$( i' e+pen'i)e in genera#/
A some)hat comp$e9 a$gorithm )ith $argeresource reuirements&;ui$d a 4O, #a$idate, canonica$iJe, seria$iJe&
Schema and speci8cation do not $imit thenumer o" CQ trans"orms that may eapp$ied to a re"erence&
Cou$d detect and optimiJe a)ay redundantCQ, ut / ha#e not seen anyone do this yet&
5
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
46/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)20078
!eference H
Tr&nsformsH
Tr&nsform &lgorithmBhtt==****'org=T!=G)),=!EC%xml%c,
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
47/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
C$( 6ith Co,,ent' & "a'hCo##i'ion'
OPT/OA( a$gorithm, ut a$most a$)ays supported
Comments may e semantica$$y signi8cant in the doc&
;ut are they e#er in the RSigned/n"o metadataA$most certain$y not e#en e9amined&
An unusua$ degree o" "reedom in cra"ting a hash co$$isionthat is sti$$ )e$$-"ormed and doesn
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
48/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
49/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
IeferenceG
=e"erences descrie )hat is eing signed&
/denti"y the signed content )ith a :=/&
Trans"orms to re8ne the speci8cation orcanonica$iJe&
Speci"y the digest method and digest#a$ue&
>
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
50/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
IeferenceG
A$$ re"erences are primari$y identi8ed y a:=/&
Fu$$ document re"erence* !IBFF
1Pointer ;are* !IBF#o;ectF Oect =e"erence* !IBF#xointerRidRo;ectF Same-document 1Path* !IBFxointerR=F
9terna$ re"erence*!IBFhtt==****'org=T!=xml%st"lesheetF
50
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
51/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
IeferenceG
Three types o" signatures*
n#e$oping* =e"erences are descendantso" the signature in the 1( document&
n#e$oped* Signature is a descendant o"the signed content&
4etached* Signed content is a si$ing orat an e9terna$ $ocation&
5$
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
52/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
=+terna# Ieference'
+ust "ai$ed another o" our est practices&
An attac%er can insert a ma$icious e9terna$ re"erence,and you ha#e to chase it to see i" the signature#a$idates&
o simp$e Dag to turn this o in, e&g& +a#a AP/s&
aye not #a$id in WS-Security conte9t* ?ele"ents containe! inthe signature S#$%&' refer to a resource (ithin the enclosingS$A) envelopeB
http*!!)))&oasis-open&org!committees!do)n$oad&php!7N0!)ss-#&-spec-os-SOAPessageSecurity&pd"
/mportant to AP/ c$ients&
Ca$$ers need to pro#ide a custom !IDereferencerimp$ementation&
52
http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdfhttp://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
53/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Ti,e of Check Ti,e of H'e
What i" an e9terna$ re"erence changes or ecomesuna#ai$a$e Fetch on #a$idate, "etch again on use& Pro#ide ma$icious
content the second time, repudiate transaction, etc&
eed to use cached re"erence retrie#a$&
+a#a pro#ides AP/ support, ut it is not a de"au$teha#ior&
Can
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
54/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Thi' i' 3ad/
The need to pu$$ "rom the #a$idation cachema%es "or a #ery tight coup$ing et)eenthe security and app$ication $ayer&
/s there any )ay to do this correct$y "roman net)or%-edge security gate)aySimi$ar to e)sham and Ptace%
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
55/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
XPath & XPointer
=e"erences to 1( content to e signed can a$so eidenti8ed y an 1Path or 1Pointer e9pression&
This can e comp$e9 and resource intensi#e&
1Path Fi$ter 2&0 Hintersect, sutract, unionI is a$soa#ai$a$e as a Trans"orm& This (as speci*call create! because +)ath (as beco"ing an
acci!ental 'oS vector,
Speci"y an un$imited numer o" 1Path Fi$tersHinter$ea#ed )ith CQ "or good measureI "or a good4oS&
55
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
56/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
XPath & XPointer
Another "ai$ure o" the comp$e9ity 6 4oSassumption mismatch&
WS-Security recommends against, utagain does not "orid, 1Path 6 1Pointerre"erence :=/s&
58
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
57/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
(e6 The,e*
Securit:' Wor't =ne, i'Co,p#e+itN
Seen more than a it o" this a$ready&
ore to come&
57
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
58/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Fri'k Ieference'
Content re"erenced y /4 or an amiguous1Path can e mo#ed aout in the document)ithout in#a$idating the signature&
This a document-speci8c attac%, ute$ements )ith conte9tua$ semantics muste signed in-situ "or sa"ety&
&g& the "o$$o)ing t)o documents oth #eri"y)ith the same signature #a$ue*
5;
(a)e# 'ign u't the price to pre)ent
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
59/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
(a)e# 'ign u't the price to pre)ent,odiBcation
5>
orderH
itemH
n&meH4ox of Pencils=n&meHrice IdBF,FHU,5)=riceH
6$&ntit"H,=6$&ntit"H
=itemH
itemH
n&meHL&to=n&meH
rice IdBFGFHUG5))))=riceH
6$&ntit"H,))=6$&ntit"H =itemH
=orderH
Sign&t$re xmlnsBFhtt==****'org=G)))=)8=xmldsig#FH
SignedInfoH
!eference !IBF#xointerRidR,FH =!eferenceH
!eference !IBF#xointerRidRGFH =!eferenceH
=SignedInfoH
Sign&t$re:&l$eH =Sign&t$re:&l$eH
7e"InfoH =7e"InfoH
=Sign&t$reH
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
60/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Signature 'ti## )a#id* )er diQerent 'e,antic'/
80
orderH
itemH
n&meH4ox of Pencils=n&meH rice IdBFGFHUG5))))=riceH
6$&ntit"H,=6$&ntit"H
=itemH
itemH
n&meHL&to=n&meH
rice IdBF,FHU,5)=riceH
6$&ntit"H,))=6$&ntit"H =itemH
=orderH
Sign&t$re xmlnsBFhtt==****'org=G)))=)8=xmldsig#FH
SignedInfoH
!eference !IBF#xointerRidR,FH =!eferenceH
!eference !IBF#xointerRidRGFH =!eferenceH
=SignedInfoH
Sign&t$re:&l$eH =Sign&t$re:&l$eH
7e"InfoH =7e"InfoH
=Sign&t$reH
# i k
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
61/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
=#e,ent Wrapping Attack'N
4iscussed rieDy in WS-Security standard )ithregard to SOAP headers&o#ing e$ements "rom optiona$ #s& must-understand
?+-& Signature Ele"ent Wrapping Attacks an!.ounter"easuresBichae$ c/ntosh 6 Pau$a Auste$/; =esearch, 3a)thorne, V
Wor%shop On Secure We Ser#ices
Proceedings o" the 200' Wor%shop on Secure We Ser#icesAC Press
http*!!porta$&acm&org!citation&c"mid0>026mpcit6co$$AC6d$AC6CF/4Q00'2N6CFTOM77NX>>'XYC/T
8$
http://portal.acm.org/citation.cfm?id=1103026&jmp=cit&coll=ACM&dl=ACM&CFID=14005269&CFTOKEN=77983358http://portal.acm.org/citation.cfm?id=1103026&jmp=cit&coll=ACM&dl=ACM&CFID=14005269&CFTOKEN=77983358 -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
62/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Wrapper:' -e#ight
ot ust repositioning signed e$ements&An attac%er can a$so add or de$ete content or
modi"y the unsigned portions )ithout rea%ingthe signature&
App$ies to o#er$y speci8c 1Pointers, 1Path andFi$ters as )e$$ as re"erences y /d&
Again, need to pu$$ content direct$y "rom#a$idation cache&
ore tight coup$ing to the security $ayerore attac%s possi$e against gate)ay
app$iances
82
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
63/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
749=Ha&SOn#4?9D'v0z@"V)IA
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
64/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Tran'for,'
9tra processing instructions=e8ne se$ection o" signed content
Additiona$ steps to arri#e at the correct digest
We
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
65/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
=n)e#oped & =n)e#oping Signature'
ode$ed as Trans"orms&
9tract the signature "rom the content, or#ice-#ersa, e"ore canonica$iJing 6
digesting&
85
=+ten'i3#e St#e'heet
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
66/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
=+ten'i3#e St#e'heetLanguage Tran'for,' KXSLT
1S(T is a $anguage "or processing andtrans"orming 1( documents&
:sed "or content e9traction or, most
common$y, trans"orming 1( content "romone "ormat to another&
A pattern-matching temp$ate processorta%es a source and temp$ate documentand produces a third document as output&
88
XSLT
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
67/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
XSLT
Pro#ide an e9treme$y e9pressi#e means tose$ect content "or signing&
?Sign )hat is meant, not )hat is said&B
;ut too c$e#er y ha$"&
87
Th - d A # i
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
68/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
The,e* -ependenc Ana#'i'
Ta%ing dependencies on othercomponents or code corre$ates strong$y)ith security de"ects&
Threat mode$s don
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
69/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Mi',atched A''u,ption' Again
1S(T is not ust 1PathZZ&
/t
Th 3i ##i i
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
70/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
The 3ig co##i'ion/
;ut de#e$opers )ant "unctiona$ity and"unctiona$ity is attac% sur"ace&
1S(T as speci8ed in NNN )as a "unctiona$
programming $anguage&
o side eects& o /!O& o access to OS
"aci$ities&?+ust another 4oS&B
70
( t ## M t k ti
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
71/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
7$
(ot rea##* More net6ork operation'/
Pu$$ in an e9terna$ sty$esheet )ith&sl:in)l6deand &sl:ipo#t
Pu$$ in aritrary e9terna$ content )iththe do)6entGH"unction during thetrans"orm&
Th .i## XSLT = t i
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
72/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
The .i##er* XSLT =+ten'ion'
A$$ in one p$ace* /nsecure 4ependencies
Comp$e9ity
ismatched Assumptions&
1S(T is comp$icated& Code reuse and modu$arity is great5+ust import someody e$se
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
73/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
R9s$*sty$esheet #ersion[&0[9m$ns*9s$[http*!!)))&)>&org!NNN!1S(!Trans"orm[
9m$ns*rt[http*!!9m$&apache&org!9a$an!a#a!a#a&$ang&=untime[9m$ns*o[http*!!9m$&apache&org!9a$an!a#a!a#a&$ang&Oect[
e9c$ude-resu$t-pre89es [rt,o[ R9s$*temp$ate match[![
R9s$*#aria$e name[runtimeOect[ se$ect[rt*get=untimeHI
R9s$*#aria$e name[command[se$ect[rt*e9ecH\runtimeOect,
6apos]c*^Windo)s^system>2^cmd&e9e6apos]I[! R9s$*#aria$e name[commandAsString[ se$ect[o*toStrin R9s$*#a$ue-o" se$ect[\commandAsString[!
R!9s$*temp$ateR!9s$*sty$esheet
7
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
74/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
R9s$*sty$esheet9m$ns*9s$[http*!!)))&)>&org!NNN!1S(!Trans"orm[
9m$ns*9s$tc[http*!!9m$&apache&org!9a$an!9s$tc[
9m$ns*redirect[http*!!9m$&apache&org!9a$an!redirect[e9tension-e$ement-pre89es[9s$tc redirect[
#ersion[&0[R9s$*temp$ate match[![
R9s$tc*output 8$e[$o&9m$[R9s$*te9tThis ends up in the 8$e
_$o&9m$_R!9s$*te9t
R!9s$tc*outputRredirect*)rite 8$e[^^aritrary:CPath[R9s$*te9tThis ends up at an aritrary :C path5
R!9s$*te9tR!redirect*)rite
R!9s$*temp$ateR!9s$*sty$esheet
7
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
75/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
R9s$*sty$esheet9m$ns*9s$[http*!!)))&)>&org!NNN!1S(!Trans"orm[#ersion[&0[
9m$ns*9a$an[http*!!9m$&apache&org!9a$an[9m$ns*my-e9t[e9t[e9tension-e$ement-pre89es[my-e9t[
R5--The component and its script are in the 9a$annamespace
and de8ne the imp$ementation o" the e9tension&--R9a$an*component pre89[my-e9t[ "unctions [o)nage[R9a$an*script $ang[a#ascript[
!! Fun, aritrary +a#aScript in the +5 ;SF a$so a#ai$a$R!9a$an*script
R!9a$an*component
75
A)ai#a3#e on ,o't XSLT
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
76/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
78
A)ai#a3#e on ,o't XSLTproce''or'
Those )ere e9amp$es "rom 1a$an-+&
4angerous e9tensions a#ai$a$e in* 1a$an-1S(TC Sa9ond&9s$t
Orac$e 14M 0g Sa$otron 1T :nicorn
msxmlscritHV msxslscritHV xslscritHV msscritH
a$$o) +Script, ;Script and &et $anguages O y de"au$t in S1( & ;ut &et doesn
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
77/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
Optiona# 3ut 6ide# i,p#e,ented
200> reported interoperai$ity resu$ts "or 1S(T Trans"orm
http*!!)))&)>&org!Signature!200!0Q!0'-9m$dsig-interop&htm$
;a$timore Hgone, un%no)n disposition o" 1(4S/@techno$ogyI
3P
/A/M /;icroso"tCPhaos Hno) Orac$eI
Apache1(Sec4ataPo)er Hno) /;I
77
(o idea no AP1
http://www.w3.org/Signature/2001/04/05-xmldsig-interop.htmlhttp://www.w3.org/Signature/2001/04/05-xmldsig-interop.html -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
78/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)2007
(o idea no AP1/
1(Sec is the on$y AP/ /rd
party $irary yourse$"&
oody has any idea that this stu isthere&
#en i" they do, they ha#e no )ay to turnit o&
7;
What ne+t4
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
79/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
What ne+t4
We
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
80/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
@a#idation of an XML -igita# Signature
;0
http*!!)))&)>&org!T=!9m$dsig-core!Ysec-Corea$idation
What doe' thi' ,ean4
http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/ -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
81/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
;$
What doe' thi' ,ean4
I Process e#ery =e"erence, deri#e a digest #a$ue
and compare it&
2ICanonica$iJe and digest the entire Signed/n"oe$ement and compare to the decrypted the
?Signaturea$ueB&
>IAccording to deep discussion on the mai$ing $ists,this order is non-normati#e[1], utG
T"1S 1S T"= WIO(< OI-=I OFOP=IAT1O(S/
[1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/21!ct"ec/#$
Pure Function' )' Attack Surface
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001OctDec/0064http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001OctDec/0064 -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
82/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Pure Function' )'/ Attack Surface
Cryptographica$$y, the order o" operationsis not important&
Assuming no side eects&
;ut )e
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
83/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Correct Order of Operation'
First see i" the signature is e#en "rom a %eyyou trust&
Then #a$idate the Signaturea$ue against
the Signed/n"o&
Then#eri"y the digests&
;
1,p#e,enter' fo##o6 the 'peciBcation
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
84/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
1,p#e,enter' fo##o6 the 'peciBcation
Comine the )rong order o" operations)ith 1S(T e9tensions&
Anonymous, remote code e9ecution )ithinvali!signature&
;
The Fa##out
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
85/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
The Fa##out
Aout a doJen Sun products anythingusing the +S= 0' AP/s, inc$uding the core
+4M &
/A/M +a#a Crypto Too$%its
;A +roc%it
Se#era$ more )ith 4enia$ o" Ser#ice#u$nerai$ities that ha#en
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
86/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
;8
-eBnite# 6or,a3#e/
Can inc$ude mu$tip$e Trans"orms in a signature&
Same attac% sur"ace on the c$ient and ser#er&
=e$ia$e cross-p$at"orm e9ecution&
1S(T ma%es se$"-dup$ication easy )ith sele)tGRSH
:44/ )ou$d ma%e a nice )orm propagation directory& :44/ #> supports 1(4S/@, and suggests use o" 1S(T
trans"orms&
At $east the :;= is dead&
More on order of operation'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
87/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
More on order of operation'/
+a#a does e9pose enough o" the interna$operations "or AP/ c$ients to do it right -- i"they
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
88/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
p Ie'u#t'
;;
+-& Signature Extensibilit %sing.usto" Transfor"s
(aurence ;u$$ and 4a#id & SuireSchoo$ o" Computer Science and So"t)are ngineering, onash
:ni#ersity, Austra$ia5th 1nternationa# Conference on We3
1nfor,ation S'te,' =ngineering !ri'3aneAu'tra#ia (o)e,3er 2292 200
We3 1nfor,ation S'te,' % W1S= 200 pp $029$$2Lecture (ote' in Co,puter Science
Springer !er#in E "eide#3erg
1S!(* >7;995092;>92
http*EE'pringer#ink/co,EcontentEDp0er3gdcn7h$
!u## & SDuire
http://springerlink.com/content/qp0eyrbgdcn47jh1http://springerlink.com/content/qp0eyrbgdcn47jh1 -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
89/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
!u## & SDuire
4iscuss ris%s o" aritrary trans"orms, `acti#e
Anon,ou' Attack Surface
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
94/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Anon,ou' Attack Surface
Mey/n"o is not integrity protected&Cou$d e re"erenced in Signed/n"o, ut you
(o Safe Order of Operation'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
95/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
(o Safe Order of Operation'
A$$ the same ris%s o" R=e"erenceprocessing&
Again, AP/s "ai$ the user y not pro#idingadeuate %nos and s)itches to hardenthis&
>5
And a punt/
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
96/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
And a punt/
sta$ishing trust in a %ey is comp$ete$y out o" scope& =easona$e enough&
;ut rememer the mediocre de#e$oper&
ost SS( AP/s en"orce chaining certs to a trusted root
y de"au$t, and many, many de#e$opers sti$$ get SS()rong&
The na#e de#e$oper )ho assumes 4S/@ AP/s ?ust)or%B, $i%e SS(, accomp$ishes nothing ut increasinghis attac% sur"ace dramatica$$y&
>8
1f it:' hard fai# 3 defau#t/
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
97/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
' a d a 3 de au
The a#erage de#e$oper on$y %eeps going unti$ it
?)or%sB&
M:!M: certi8cate e9tensions Chaining ot a c$ue&
Fai$ing c$osed is a signa$ that the trust mode$ issomething that needs consideration&
=e-structure the AP/ to high$ight this*
$;lic ;oole&n v&lid&teRSign&t$re sV7e"Tr$stM&n&ger Ktm
>7
Si,p#icit i' not alwaysgood/
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
98/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
p y g
1(4S/@ is a great case study )herepro#iding on$y a simp$e pu$ic AP/ to a #erycomp$e9 under$ying techno$ogy is cripp$ing&
Ca$$ers shou$d e ena$e dierent trans"orma$gorithms and :=/!1( reso$#ers )ithdierent properties "or the anonymous andthe authenticated attac% sur"ace&
o AP/s /;
An ,itigation'4
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
99/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
g
Code Access Security HCASI and the +a#aPermissions mode$ ought to e a$e toconstrain the eha#ior o" signature#a$idating code&
;ut #ery uncommon to actua$$y see this&
And the +a#a AP/s )ou$d "ai$ i" run in aSecurityanager unti$ #ery recent$y&=eading system properties not )rapped&
>>
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
100/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
XML =ncrption K)er 3rie
$00
XML =ncrption KXML=(C
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
101/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
p K
The other pi$$ar o" WS-Security
A great dea$ ui$ds on 1(4S/@&
=e"erences
Trans"orms
Mey/n"o
/nherits the same ris%s&
$0$
XML =ncrption % What:' ne64
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
102/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
p
:sing encryption to hide comp$e9ity oms, ma$icious
signatures, etc&
ore $ayers o" #a$idation5
Circu$ar %ey re"erences and other 4oS opportunities
Spec says* e a$e to restrict the tota$ amount o"processor and net)or% resources that can e
consumed& 4iUcu$t to do in $anguages $i%e +a#a and +a#aScript&
$02
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
103/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
So ho6 can 6e u'e thi' 'tuQ 'afe#4
$0
Signature ProB#e'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
104/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
g
entioned WS-Security recommendationsas )e )ent&SOAP adds a "e) constraints, too&
SA( speci8cation oers more
recommendations&4escries ho) to do cached re" retrie#a$
P>P, CardSpace, WS-4isco#ery a$$ speci"ytheir o)n
$0
WS91 !a'ic Securit ProB#eK$ 0 and $ $ are 3oth 'ti## 6orking group draft'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
105/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
K$/0 and $/$ are 3oth 'ti## 6orking group draft'
http*!!)))&)s-i&org! /ntended "or compati$e "u$$ WS-K
stac%s&
any o" the concerns discussed today are addressedy this standard, He&g& Trans"orms are high$y restrictedI
though the ris%s are not made e9p$icit&
/mp$ementers o" "u$$ SOAP and WS-K stac%s )rite tothese standards "or interoperai$ity purposes&
ost WS-/ ;SP &0 or & comp$iant stac%s )on
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
106/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Some amiguity sti$$&
States that Trans"orms ?:ST ha#e a #a$ue o"B one o" a set o""our Hre$ati#e$yI sa"e ones&
This de8nite$y imp$ies that*
A comp$iant imp$ementation :ST OT produce other trans"orms& A comp$iant imp$ementation :ST understand the speci8ed
trans"orms&
A care$ess imp$ementer might not thin% it
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
107/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
And "e) s)itches a#ai$a$e to the direct AP/userTo ui$d your o)n pro8$e to meet your needs
To $oc% do)n your processor
Pro8$es are inadeuate "or the genera$ case(itt$e "ran% discussion o" the ris%s they mitigate
Scattered across many speci8cations
Focused on interoperai$ity, not security and
emerging attac% patternsA minima$$y comp$iant WS-/ ;SP stac% is the
est et "or no)&
$07
For AP1 ca##er'*
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
108/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
:se schema #a$idation to en"orce a pro8$ee"ore per"orming signature #a$idation&
Constrain the RSignature e$ement to
e9act$y )hat you e9pect it to $oo% $i%e andreect e#erything e$se&
;ut you ha#e to do this out-o"-$ineSchema #a$idation can rea% signatures& He&g&
de"au$t attrsI
ot great "or per"ormance&
$0;
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
109/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Le''on' Learned
$0>
Le''on' Learned
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
110/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Attac% sur"ace reduction matters& Comp$e9itymatters& Ta%ing dependencies matters&
Signature #a$idation is part o" authentication
this is anonymous or, at est, pre-authoriJation attac% sur"ace&
=e$easing a %itchen-sin% speci8cation, then
pu$ishing a compatii$ity and security pro8$e"our years $ater Wrong or!er of operations,
$$0
Propertie' of an 1ntegrit
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
111/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Mechani',4eterministic resource consumption&
Fast "ai$ure&
o side eects&
Simp$e enough to e an e9traordinari$y
roust ui$ding $oc% "or e#erything thatrests upon it&
$$$
-iQerent c#a''e' of pro3#e,/
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
112/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
/ntegrity is a "oundationa$ security pro$em ui$t on
core mathematica$ operations&
Adding 1S(T, in any "orm, adds the pro$em o" moi$ecode security&
A c$ear $ayering #io$ation and an un"air pro$em to"oist upon imp$ementers and c$ients&
On$y cou$d snea% in ecause o" a$ready too-permissi#eassumptions aout comp$e9ity and denia$ o" ser#ice&
$$2
Ie9Learning Le''on'
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
113/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
The Co,p#e+it Trap*Security
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
114/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
it cou#d )e 3een/
That )as "rom*
A .rptographic Evaluation of 0)Secie$s Ferguson and ;ruce Schneier
Counterpane /nternet Security, /nc& NNN
$$
Takea6a'*
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
115/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
;e cautious i" )riting direct$y to 1( SecurityAP/s&
arious #endors< WS-K stac%s are at dierent
$e#e$s o" security maturity today&ore research needed&
:se WS-Security )here use cases demand it&;ut protect anonymous endpoints )ith SS( Z
c$ient cert auth 8rst&
$$5
Ongoing re'earch/
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
116/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Watch )))&isecpartners&com"or updatesto the dec%, ad#isory )hite papers,de#e$oper est practices and too$s&
And the W>C is )or%ing on updates to thestandard*http*!!)))&)>&org!2007!9m$sec!
$$8
Thank ouR
http://www.isecpartners.com/http://www.w3.org/2007/xmlsec/http://www.w3.org/2007/xmlsec/http://www.isecpartners.com/ -
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
117/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
$$7
Euestions
;rad 3i$$
rad.isecpartners&com
!i3#iograph
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
118/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
& ;arte$, +& ;oyer, ;& Fo9, ;& (aacchia, and & Simon& 1(-Signature Synta9 and Processing& /n 4& ast$a%e, +& =eag$e, and 4&So$o, editors, W>C =ecommendation& Wor$d Wide We Consortium, 2 Feruary 2002&
http*!!)))&)>&org!T=!2002!=C-9m$dsig-core-2002022!
T& /mamura, ;& 4i$$a)ay and & Simon& 1( ncryption Synta9 and Processing& /n 4& ast$a%e, +& =eag$e, editors, W>C=ecommendation& Wor$d Wide We Consortium, 0 4ecemer 2002&
http*!!)))&)>&org!T=!2002!=C-9m$enc-core-200220!
T& ;eth, & Frisch, and @&+& Simmons, editors& Pu$ic-Mey Cryptography* State o" the Art and Future 4irections, #o$ume '7X o"(ecture otes in Computer Science& Springer, > +u$y
NN2& &/&S&S&Wor%shop Oer)o$"ach Fina$ =eport&
9tensi$e ar%up (anguage H1(I &0 HFourth ditionI& T& ;ray, +& Pao$i, C& & Spererg-cEueen, & a$er and F& Vergeau,editors& W>C =ecommendation& Wor$d Wide We Consortium, August 200, edited in p$ace 2N Septemer 200&
4& ast$a%e and M& i$es, Secure +-&: The Ne( Sntax for Signatures an! Encrption1 )earson ducation, +u$y N, 2002
+& =osenerg and 4& =emy, Securing Web Services (ith WS2Securit: 'e"stifing WS2Securit1 WS)olic1 SA-&1 +-&Signature an! +-& Encrption1 Sa"s1 34 -a 4556
T& ;erners-(ee, =& Fie$ding, (& asinter, :ni"orm =esource /denti8er H:=/I* @eneric Synta9& The /nternet Society, 200'
& 3o)ard, +& Pincus and +& & Wing, easuring =e$ati#e Attac% Sur"aces, in .o"puter Securit in the 43st .entur1 ', T, &ee1 S,), Sheih an! 7, ', Tgar1 e!itors1 pp 358239, Springer %S1 455;
http*!!springer$in%&com!content!#>$QQ'07'QmX9p27
$$;
!i3#iograph
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
119/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
(& ;u$$ and 4& Suire, 1( Signature 9tensii$ity :sing Custom Trans"orms, in Web 0nfor"ation Sste"s < W0SE 45561 pp 3542334, Springer =erlin > #ei!elberg1 Nove"ber 4556
http*!!springer$in%&com!content!p0eyrgdcnQ7h
1S( Trans"ormations H1S(TI ersion &0& +& C$ar%, editor, W>C =ecommendation, Wor$d Wide We Consortium, o#emer NNN&
http*!!)))&)>c&org!T=!NNN!=C-9s$t-NNN
4& Tid)e$$,+S&T1 $?@eill -e!ia1 3; August 4553
;rainerd, W&S&, (and)eer, (&3& HN7QI, Theor of .o"putation1 Wile
A& S%onnard, 9tending 1S(T )ith +Script, CY, and isua$ ;asic &T, S4 agaJine, icroso"t Corporation, arch 2002&
http*!!msdnµso"t&com!msdnmag!issues!02!0>!9m$!
& 3aro$d, Simp$e 1a$an 9tension Functions* i9ing +a#a )ith 1S(T, /; de#e$operWor%s, 07 o#emer 200
http*!!)))-2X&im&com!de#e$oper)or%s!$irary!9-9a$ane9tensions&htm$
1a$an-+a#a 9tensions, The Apache So"t)are Foundation, 200'
http*!!9m$&apache&org!9a$an-!e9tensions&htm$
1S(T Security, S4 (irary, icroso"t Corporation, 2007http*!!msdn2µso"t&com!en-us!$irary!ms7>X00&asp9
O& Predescu, et a$&, 1a$an-+a#a, The Apache So"t)are Foundation, 3e)$ett Pac%ard Corporation, /; Corporation, Sunicrosystems and (otus 4e#e$opment Corporation NNN-2007&
http*!!9m$&apache&org!9a$an-!
$$>
!i3#iograph
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
120/121
OWASP & WASC AppSec 2007 Conference % San o'e % (o)
2007
Path HcomputingI, Wi%imedia Foundation, 2007
http*!!en&)i%ipedia&org!)i%i!PathbHcomputingI
S1(, icroso"t Corporation& 2000-2007
http*!!msdnµso"t&com!9m$!de"au$t&asp9
& May, SA1O, & May 2007
http*!!sa9on&source"orge&net!
+& 4$er, d&9s$t, AJtecrider, 200
Orac$e 1( 4e#e$opers Mit, 14M 0g Production, Orac$e Corporation, 200Q-200http*!!)))&orac$e&com!techno$ogy!tech!9m$!9d%!so"t)are!production0g!inde9&htm$
Sa$otron, @inger A$$iance 200
http*!!)))&gingera$$&org!sa$otron&htm$
+& C$ar% and ;& (indsey, 1T 200
http*!!)))&$nJ&com!9t!inde9&htm$
:nicorn 1S(T Processor, :nicorn nterprises 2000-200>
http*!!)))&unicorn-enterprises&com!productsbu9t&htm$
Code Access Security, &T Frame)or% 4e#e$oper07)0HS&X0I&asp9
$20
!i3#iograph
-
7/21/2019 OWASP-WASCAppSec2007SanJose_AttackingXMLSecurity
121/121
T& ;e$$)ood, S& Cape$$, (& C$ement, +& Co$gra#e, & 4o#ey, 4& Feygin, A& 3ate$y, =& Mochman, P& acias, & o#otny, & Pao$ucci, C&=iegen, T& =ogers, M& Sycara, P& WenJe$, and he Wu, :44/ ersion >&0&2& :44/ Spec Technica$ Committee 4ra"t, 4ated200Q0N, (& C$ement, A& 3ate$y, C& =eigen and T& =ogers, editors&, Accenture, Aria, /nc&, Commerce One, /nc&, Fuitsu
(imited, 3e)$ett-Pac%ard Company, i2 Techno$ogies, /nc&, /nte$ Corporation, /nternationa$ ;usiness achines Corporation,icroso"t Corporation, Orac$e Corporation, SAP A@, Sun icrosystems, /nc&, and eriSign, /nc& 200-2002, OAS/S Open 2002-200Q
http*!!uddi&org!pus!uddi-#>&0&2-200Q0N&htm
http*!!$ists&)>&org!Archi#es!Pu$ic!)>c-iet"-9m$dsig!200Oct4ec!00Q
+a#a AP/ "or 1( Processing H+A1PI, Sun 4e#e$oper et)or%, Sun icrosystems, /nc& 2007
http*!!a#a&sun&com!)eser#ices!a9p!
Trans"orm Features, Apache So"t)are Foundation, 200'
http*!!9m$&apache&org!9a$an-!"eatures&htm$Ysecureprocessing
(& @ong, +a#a 2 P$at"orm Security Architecture, Sun icrosystems, /nc& 2002-2007
http*!!a#a&sun&com!2se!&Q&2!docs!guide!security!spec!securityspec&doc>&htm$YNX02
;asic Security Pro8$e ersion &, Wor%ing @roup 4ra"t, & c/ntosh, & @udgin, M& S& orrison, A&;arir, editors& We Ser#ices/nteroperai$ity OrganiJation, 200-0-N
http*!!)))&)s-i&org!Pro8$es!;asicSecurityPro8$e-&&htm$
@& 4e$$a-(iera, & @udgin, P& 3a$$am-;a%er, & 3ondo, 3& @ran#ist, C& Ma$er, 3& aruyama, & c/ntosh, A& ada$in, &agaratnam, =& Phi$pott, 3& Pra"u$$chandra, +& She)chu%, 4& Wa$ter, and =& o$"onoon, We Ser#ices Security Po$icy(anguage, C& Ma$er and A& ada$in, editors& /nternationa$ ;usiness achines Corporation, icroso"t Corporation, =SASecurity /nc and eriSign /nc +u$y 200'