This presentation was by Jason Macy and Mamoon Yunus of Crosscheck Networks – Forum Systems.  It wins the award (the one I just made up) for being the most vendor-oriented presentation at the conference.  Not that it wasn’t an interesting presentation, but their solution to defend against most of the attacks was “Use an XML Gateway” (guess what Forum Systems sells?) and the attacks were all presented using the CrossCheck SOAPSonar tool.  I realize that being a vendor they probably have more knowledge than most in the field, but being an Open Source conference, you’d think they would have demonstrated using a free/open tool (SOAPUI?) and talked more about non-hardware solutions to fix the issues.  My notes from the session are below:


  1. Introduction to XML/Web Services Threats
  2. Techniques for Defending XML Threats
  3. XML Attack Examples and Classification
  4. Review sample attacks

Introduction to XML Threats

  • Explicit Attacks
    • Forced Disruption
    • Information Theft
    • Vendor Discovery
  • Implicit Vulnerability
    • Perimeter Breach (embeeded virus, malware)
    • Infrastructure Malfunction (parser and data processing failures)

New Attack Vectors

  • Protocol Firewalls are blind to XML
  • Malware and virus delivered via SOAP attachments
  • WSDL exposes schema and message structure
  • Injection attacks exposed via XML parameters
  • Data replay attacks

Security Testing – Base Requirements

  • Security Framework
    • Sign, ENcrypt, Decrypt, SSL
  • Identity Framework
    • Basic auth, SSL auth, WS-Security token auth
  • Parameter Injection
    • Database or file driven
    • Permutations for security, identity, and SOAP/XML
  • Concurrent Client Simultaneous Loading
    • Denial of Service Testing
  • SOAP with Attachments
    • Malware and Virus testing
  • Dynamic XSD Mutation
    • Derive SOAP vulnerability profile from WSDL schema

XML Security Gateway – Base Requirements

  • Certified PKI Infrastructure (DOD PKI)
    • X509 Path validation
    • Sign/verify, SSL initiation, SSL termination
  • Certified Security Architecture (FIPS)
    • Key management and storage
    • Physical security device
  • Transaction Privacy
    • Encryption, decryption, SSL
  • Transaction Integrity
    • Digital signature, signature verification, schema validation
  • Transaction Accountability
    • Archiving, logging, reporting, and monitoring
  • Transaction Threat Mitigation
    • Intrusion detection and prevention
    • Rate-based rules, size-based rules, anti-virus detection, pattern recognition
    • Structural integrity, protocol adherence, athorization attempts

XML Attack Examples and Classification

  1. SQL Injection Attack
  2. Denial of Service Attack
  3. XSD Mutation Attack

XML Web Services SQL Injection Attack Example

  • How to Attack
    • Construct SQL escape sequences
    • Construct SQL 1=1 query
    • Inject into XML node values
  • Discovered Exposure
    • Sensitive data loss
    • Database corruption
  • Used “SOAPSonar” tool to load WSDL and send responses

SQL Injection – XML Gateway Secured

  • How to Defend
    • Deploy XML Gateway
    • Enable pattern scanning IDP rules
    • Configure response message size and complexity limits
  • Advantages
    • Prevent Data Loss
    • Alert and Quarantine Attempted Breaches

XML Web Services based Denial of Service Attack

  • How to Attack
    • Loading client with concurrent simultaneous threads
    • Coercive parsing attack
  • Discovered Exposure
    • Unlimited message flow
    • Unfair service SLA distribution
    • Back-end CPU and I/O Saturation

Denial of Service – XML Gateway Secured

  • How to Defend
    • Deploy XML gateway
    • Set allowed transaction rates (Group, user, or IP)
  • Advantages
    • Message flow limited to specified rate

Another Example: Denial of Service through Coercive Parsing

  • Sending malformed XML data (removing the “>” end tag) creates increased time to parse a request

XML Web Services Based XSD Mutation Attack

  • How to Attack
    • Obtain WSDL
    • Derive message structure and types from WSDL schema
    • Send SOAP message mutations based on schema
  • Discovered Exposure
    • Code paths not handled for exceptions
    • Stack traces returned with implementation details
    • Application failure

XSD Mutation Attack – XML Gateway Secured

  • How to Defend
    • Deploy XML Gateway
    • Enforce inbound message structure and type validation
    • Cleanse outbound data (stack traces, sensitive data)
  • Advantages
    • Reduce parser impact on web service
    • Remove vendor and implementation details in response
    • Protect application layer code paths on web service

XSD Mutation – Secured

  1. Deploy specialized XML Gateways – Packet firewalls and HTML application firewalls are insufficient
  2. Validate XML against a robust schema
  3. Tighten Schema: restrict unbounded strings, etc
  4. Enforce XML specific detection rules (node depth, recursive payloads)

Best Practices for Countermeasures

  • Information Control – Outbound
    • Restrict SOAP Faults
    • Protect Sensitive Information
    • Audit Transaction Flows
  • Information Control – Inbound
    • Tighten Payloads
    • Enforce SLA
    • Disallow SQL, virus, malicious code
  • Use Web Services Penetration Testing Product
  • Deploy XML web Services Gateway
  • Deploy Centralized XML Security