Analysis of Signature Wrapping Attacks and Countermeasures

The XML signature wrapping attack is one of the most discussed security issues of the Web Services security community during the last years. Until now, the issue has not been solved, and all countermeasure approaches proposed so far were shown to be insufficient.In this paper, we present yet another way to perform signature wrapping attacks by using the XML namespace injection technique. We show that the interplay of XML Signature, XPath, and the XML namespace concept has severe flaws that can be exploited for an attack, and that XML namespaces in general pose real troubles to digital signatures in the XML domain. Additionally, we present and discuss some new approaches in countering the proposed attack vector.

show abstract

“…However, also these extensions do not eliminate signature wrapping attacks completely, as discussed in [3].…”

Section: Related Workmentioning

confidence: 94%

“…We thus describe a solution based on an extension of Exclusive Canonicalization (which hopefully is implemented), and several other options to avoid this kind of attacks. However, one should keep in mind general defenses against wrapping attacks, as described in [1,2,3,4].…”

Section: Introductionmentioning

confidence: 99%

The curse of namespaces in the domain of XML signature

Jensen

Liao

Schwenk

2009

Proceedings of the 2009 ACM Workshop on Secure Web Services

Self Cite

View full text Add to dashboard Cite

show abstract

“…Though this is not impossible (cf. XML Signature Wrapping attacks [17], [18]), it poses severe restrictions to an attacker for properly crafting an attack message that can make use of the XML Signature over timestamp and SOAP body. Hence, having one XML Signature with n references tends to be the preferable approach.…”

Section: However In Terms Of Security Considerations For Web Servicementioning

confidence: 99%

Expressiveness Considerations of XML Signatures

Jensen

Meyer

2011

2011 IEEE 35th Annual Computer Software and Applications Conference Workshops

Self Cite

View full text Add to dashboard Cite

XML Signatures are used to protect XML-based Web Service communication against a broad range of attacks related to man-in-the-middle scenarios. However, due to the complexity of the Web Services specification landscape, the task of applying XML Signatures in a robust and reliable manner becomes more and more challenging.In this paper, we investigate this issue, describing how an attacker can still interfere with Web Services communication even in the presence of XML Signatures. Additionally, we discuss the interrelation of XML Signatures and XML Encryption, focussing on their security properties and expressiveness in different application scenarios.

show abstract

“…XML wrapping involves manipulation of SOAP messages. A new element (i.e., the wrapper) is introduced into the SOAP Security header; the original message body is then moved under the wrapper and replaced by a bogus body containing an operation defined by the attacker [Gaj09,Gru09]. The original body can still be referenced and its signature verified, but the operation in the replacement body is executed instead.…”

Section: Identity and Access Managementmentioning

confidence: 99%

Guidelines on security and privacy in public cloud computing

Jansen¹,

Grance²

2011

447

272

View full text Add to dashboard Cite

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology.ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication discusses ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Special Publication 800-144 80 pages (December 2011)iv AbstractCloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

show abstract

Analysis of Signature Wrapping Attacks and Countermeasures

Cited by 45 publications

References 13 publications

The curse of namespaces in the domain of XML signature

The curse of namespaces in the domain of XML signature

Expressiveness Considerations of XML Signatures

Guidelines on security and privacy in public cloud computing

Contact Info

Product

Resources

About