Article

XML signature element wrapping attacks and countermeasures

Authors:

Michael McIntosh,

Paula AustelAuthors Info & Claims

SWS '05: Proceedings of the 2005 workshop on Secure web services

Pages 20 - 27

https://doi.org/10.1145/1103022.1103026

Published: 11 November 2005 Publication History

Get Access

Abstract

Naive use of XML Signature may result in signed documents remaining vulnerable to undetected modification by an adversary. In the typical usage of XML Signature to protect SOAP messages, an adversary may be capable of modifying valid messages in order to gain unauthorized access to protected resources.This paper describes the general vulnerability and several related exploits, and proposes appropriate countermeasures. While the attacks described herein may se obvious to security experts once they are explained, effective countermeasures require careful security policy specification and correct implentation by signed message providers and consumers. Since these implenters are not always security experts, this paper provides the guidance necessary to prevent these attacks.

References

[1]

Eastlake, D., Reagle, J., Solo, D. (editors): XML-Signature Syntax and Processing: W3C Recommendation: 12 February 2002 (See: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/)

Google Scholar

[2]

Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Mendelsohn, N., Nielsen, H. F., Thatte, S., Winer, D.: Simple Object Access Protocol (SOAP) 1.1: W3C Note: 08 May 2000: (See: http://www.w3.org/TR/2000/NOTE-SOAP-20000508)

Google Scholar

[3]

Mitra, N. (editor): SOAP Version 1.2 Part 0: Primer: W3C Recommendation: 24 June 2003: (See: http://www.w3.org/TR/2003/REC-soap12-part0-20030624/)

Google Scholar

[4]

Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., Nielsen, H. F (editors): SOAP Version 1.2 Part 1: Messaging Framework: W3C Recommendation 24 June 2003: (See: http://www.w3.org/TR/2003/REC-soap12-part1-20030624/)

Google Scholar

[5]

Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., Nielsen, H. F. (editors): SOAP Version 1.2 Part 2: Adjuncts: W3C Recommendation: 24 June 2003: (See: http://www.w3.org/TR/2003/REC-soap12-part2-20030624/)

Google Scholar

[6]

Nadalin, A., Kaler, C., Hallam-Baker, P., Monzillo, R. (editors) Web Services Security: SOAP Message Security 1.0 (WS-Security 2004): OASIS Standard 200401, March 2004 (See: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf)

Google Scholar

[7]

McIntosh, M. "New Issue (w/Proposal): Signing the Signer's Security Token": Online Posting: 23 Septber 2004: WS-I Basic Security Profile Working Group (See: http://mbers.ws-i.org/Resource.phx/lyris/newmessage.htx?id=64333)

Google Scholar

[8]

McIntosh, M. "Re: {wsi_wsbasic_apps} question from sample apps group on C5440": Online Posting: 23 Septber 2004: WS-I Basic Security Profile Working Group (See: http://mbers.ws-i.org/Resource.phx/lyris/newmessage.htx?id=64445)

Google Scholar

[9]

McIntosh, M. "Re: {wsi_wsbasic_apps} question from sample apps group on C5440": Online Posting: 24 Septber 2004: WS-I Basic Security Profile Working Group (See: http://mbers.ws-i.org/Resource.phx/lyris/newmessage.htx?id=64673)

Google Scholar

[10]

Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., Yergeau, F. (editors): Extensible Markup Language (XML) 1.0 (Third Edition): W3C Recommendation: 04 February 2004 (See: http://www.w3.org/TR/2004/REC-xml-20040204)

Google Scholar

[11]

Grosso, P., Maler, E., Marsh, J., Walsh, N. (editors): XPointer Framework: W3C Recommendation: 25 March 2003: (See: http://www.w3.org/TR/2003/REC-xptr-framework-20030325/)

Google Scholar

[12]

Kaler, C., Nadalin, A. (editors): Web Services Security Policy Language (WS-SecurityPolicy) Version 1.1: July 2005: (See: ftp://www6.software.ibm.com/software/developer/library/ws-secpol.pdf)

Google Scholar

[13]

Clark, J., DeRose, S. (editors): XML Path Language (XPath) Version 1.0: W3C Recommendation 16 Novber 1999: (See: http://www.w3.org/TR/1999/REC-xpath-19991116)

Google Scholar

[14]

Fournet, C. "Formal Tools for Web Services Security": 5-6 May 2005: DIMACS Workshop (See: http://dimacs.rutgers.edu/Workshops/Commerce/slides/fournet.ppt)

Google Scholar

Cited By

View all

Damiani E(2024)Web Service SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_668-2(1-4)Online publication date: 4-Jul-2024
https://doi.org/10.1007/978-3-642-27739-9_668-2
Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Labib RSrivastava GLin J(2023)Wireless and Mobile Security in Edge ComputingSecurity and Risk Analysis for Intelligent Edge Computing10.1007/978-3-031-28150-1_10(193-207)Online publication date: 25-Jun-2023
https://doi.org/10.1007/978-3-031-28150-1_10
Show More Cited By

Index Terms

XML signature element wrapping attacks and countermeasures

Recommendations

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
One-Sided Countermeasures for Side-Channel Attacks Can Backfire
WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Side-channel attacks are currently one of the most powerful attacks against implementations of cryptographic algorithms. They exploit the correlation between the physical measurements (power consumption, electromagnetic emissions, timing) taken at ...
Experimental analysis of attacks against web services and countermeasures
iiWAS '10: Proceedings of the 12th International Conference on Information Integration and Web-based Applications & Services

Web services are increasingly becoming an integral part of next-generation web applications. A Web service is defined as a software system designed to support interoperable machine-to-machine interaction over a network based on a set of XML standards. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SWS '05: Proceedings of the 2005 workshop on Secure web services

November 2005

98 pages

ISBN:1595932348

DOI:10.1145/1103022

Program Chairs:
Ernesto Damiani
University of Milan, Italy
,
Hiroshi Maruyama
IBM Tokyo Research, Japan

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS05

Sponsor:

CCS05: 12th ACM Conference on Computer and Communications Security 2005

November 11, 2005

VA, Fairfax, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

81
Total Citations
View Citations
1,500
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)3

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Damiani E(2024)Web Service SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_668-2(1-4)Online publication date: 4-Jul-2024
https://doi.org/10.1007/978-3-642-27739-9_668-2
Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Labib RSrivastava GLin J(2023)Wireless and Mobile Security in Edge ComputingSecurity and Risk Analysis for Intelligent Edge Computing10.1007/978-3-031-28150-1_10(193-207)Online publication date: 25-Jun-2023
https://doi.org/10.1007/978-3-031-28150-1_10
Rohlmann SMladenov VMainka CSchwenk J(2021)Breaking the Specification: PDF Certification2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00110(1485-1501)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00110
Höller PKrumeich ALo Iacono L(2021)XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in GermanyICT Systems Security and Privacy Protection10.1007/978-3-030-78120-0_1(3-18)Online publication date: 2021
https://doi.org/10.1007/978-3-030-78120-0_1
Mustapää TNikander PHutzschenreuter DViitala R(2020)Metrological Challenges in Collaborative Sensing: Applicability of Digital Calibration CertificatesSensors10.3390/s2017473020:17(4730)Online publication date: 21-Aug-2020
https://doi.org/10.3390/s20174730
Gahlot DTejasvee SRanga KVyas R(2020)Data Security & Future Issues for Cloud ComputingAdvances in Information Communication Technology and Computing10.1007/978-981-15-5421-6_32(313-318)Online publication date: 19-Aug-2020
https://doi.org/10.1007/978-981-15-5421-6_32
Halpin H(2020)Vision: A Critique of Immunity Passports and W3C Decentralized IdentifiersSecurity Standardisation Research10.1007/978-3-030-64357-7_7(148-168)Online publication date: 24-Nov-2020
https://doi.org/10.1007/978-3-030-64357-7_7
Xu BXu XCai QWang WWang Q(2020)On the Verification of Signed MessagesApplied Cryptography and Network Security Workshops10.1007/978-3-030-61638-0_23(417-434)Online publication date: 14-Oct-2020
https://doi.org/10.1007/978-3-030-61638-0_23
Saudi MMohd Zaizi NBakar AAhmed Swessi K(2019)Spatial Signature Algorithm (SSA): A New Approach in Countermeasuring XML Signature Wrapping AttackApplied Mechanics and Materials10.4028/www.scientific.net/AMM.892.249892(249-257)Online publication date: Jun-2019
https://doi.org/10.4028/www.scientific.net/AMM.892.249
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures

One-Sided Countermeasures for Side-Channel Attacks Can Backfire

Experimental analysis of attacks against web services and countermeasures