research-article

A formal solution to rewriting attacks on SOAP messages

Authors:

Smriti Kumar Sinha,

Azzedine BenameurAuthors Info & Claims

SWS '08: Proceedings of the 2008 ACM workshop on Secure web services

Pages 53 - 60

https://doi.org/10.1145/1456492.1456501

Published: 31 October 2008 Publication History

Get Access

Abstract

In Service Oriented Architecture Web Services, communication among services is banking on XML-Based messages, called SOAP messages. These messages are prone to attacks that are classified in literature as XML rewriting attacks. Since rewriting is a formal mechanism used in formal language theory, and the rewriting attack problem is designed under the framework of formal language theory, the solution also lies under the same framework. In this paper we propose a formal solution to XML rewriting attacks on SOAP messages using regular tree grammar. To the best of our knowledge this is the first formal solution to this problem. We define current XML signatures used in a SOAP message as context-free signature. The formal solution proposed here is a context-sensitive XML signature. To address the additional requirements of SOAP extensibility model, where a SOAP message can pass through several intermediaries before reaching the final receiver, an adaptive variant of context-sensitive signature is also proposed. The solution addresses different forms of XML rewriting attacks. An analysis of the solution is also given in the paper.

References

[1]

A. Benameur, F. Abdul Kadir, and S. Fenet. XML Rewriting Attacks: Existing Solutions and their Limitations. In IADIS Applied Computing 2008 IADIS Press, Apr. 2008.

Google Scholar

[2]

K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. Tulafale: A security tool for web services.In FMCO'03: Second International Symposium on Formal Methods for Components and Objects LNCS 2003.

Google Scholar

[3]

S. Gajek, L. Liao, and J. Schwenk. Breaking and "xing the inline approach. In SWS'07: Proceedings of the 2007 ACM workshop on Secure web services pages 37--43, New York, NY, USA, 2007. ACM.

Digital Library

Google Scholar

[4]

M. McIntosh and P. Austel. Xml signature element wrapping attacks and countermeasures. In SWS'05: Proceedings of the 2005 workshop on Secure web services pages 20--27, New York, NY, USA, 2005. ACM.

Digital Library

Google Scholar

[5]

M. Murata, D. Lee, M. Mani, and K. Kawaguchi. Taxonomy of xml schema languages using formal language theory. ACM Trans. Interet Technol. 5(4):660--704, 2005.

Digital Library

Google Scholar

[6]

M. A. Rahaman, A. Schaad, and M. Rits. Towards secure soap message exchange in a soa.In SWS'06: Proceedings of the 3rd ACM workshop on Secure web services pages 77--84, New York, NY, USA, 2006. ACM.

Digital Library

Google Scholar

[7]

Simple object access protocol 1.1,2000. http://www.w3.org/TR/soap/.

Google Scholar

[8]

Web service security, 2006. http://www.oasis-open.org/committees/wss/.

Google Scholar

[9]

XML-signature syntax and processing,2002. http://www.w3.org/TR/xmldsig-core/

Google Scholar

Cited By

View all

Mohana R(2018)A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure ConversationInternational Journal of Information Security and Privacy10.4018/IJISP.201801010712:1(74-88)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJISP.2018010107
Alrammal MHains G(2014)Forward XPath stream processing: End-to-end confidentiality and scalability2014 10th International Conference on Innovations in Information Technology (IIT)10.1109/INNOVATIONS.2014.6987556(24-29)Online publication date: Nov-2014
https://doi.org/10.1109/INNOVATIONS.2014.6987556
Anisetti MArdagna CDamiani E(2012)Container-Level Security Certification of ServicesBusiness System Management and Engineering10.1007/978-3-642-32439-0_6(93-108)Online publication date: 2012
https://doi.org/10.1007/978-3-642-32439-0_6
Show More Cited By

Index Terms

A formal solution to rewriting attacks on SOAP messages
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure Conversation

Service oriented architecture is a current and popular software engineering paradigm providing agile web services to consumers in a dynamically changing enterprise environment. The SOAP messages are used to establish communication between the web ...
Intrusion Resistant SOAP Messaging with IAPF
APSCC '08: Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference

Simple Object Access Protocol (SOAP) is the communication protocol used by web services to communicate between systems. Since SOAP messages have the ability to bypass firewalls and directly get processed by web servers, their security is critical to the ...
A formal construction of certificateless proxy multi-signature scheme

Proxy multi-signature is a scheme that allows a proxy signer to sign messages on behalf of a group of original signers. To our best knowledge, most of the existing proxy multi-signature schemes are proposed in public key infrastructure or identity-based ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SWS '08: Proceedings of the 2008 ACM workshop on Secure web services

October 2008

116 pages

ISBN:9781605582924

DOI:10.1145/1456492

Program Chairs:
Ernesto Damiani
Information Technology Dept., University of Milan, Italy
,
Seth Proctor
Sun Microsystems Laboratories, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 31, 2008

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
537
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)1

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Mohana R(2018)A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure ConversationInternational Journal of Information Security and Privacy10.4018/IJISP.201801010712:1(74-88)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJISP.2018010107
Alrammal MHains G(2014)Forward XPath stream processing: End-to-end confidentiality and scalability2014 10th International Conference on Innovations in Information Technology (IIT)10.1109/INNOVATIONS.2014.6987556(24-29)Online publication date: Nov-2014
https://doi.org/10.1109/INNOVATIONS.2014.6987556
Anisetti MArdagna CDamiani E(2012)Container-Level Security Certification of ServicesBusiness System Management and Engineering10.1007/978-3-642-32439-0_6(93-108)Online publication date: 2012
https://doi.org/10.1007/978-3-642-32439-0_6
Gruschka NJensen MKohlar FLiao L(2011)On Interoperability Failures in WS-SecurityElectronic Business Interoperability10.4018/978-1-60960-485-1.ch025(615-635)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-485-1.ch025
Anisetti MArdagna CDamiani E(2011)Certifying Security and Privacy Properties in the Internet of ServicesTrustworthy Internet10.1007/978-88-470-1818-1_17(221-234)Online publication date: 15-Jun-2011
https://doi.org/10.1007/978-88-470-1818-1_17
Sin SSinha S(2010)Signature replacement attack and its counter-measures2010 IEEE 2nd International Advance Computing Conference (IACC)10.1109/IADCC.2010.5423006(229-235)Online publication date: Feb-2010
https://doi.org/10.1109/IADCC.2010.5423006
Haleem PSebastian M(2010)A Layered Architecture for Checking Rewriting Attacks in Resource Constrained NetworksProceedings of the 2010 International Conference on Data Storage and Data Engineering10.1109/DSDE.2010.36(270-274)Online publication date: 9-Feb-2010
https://dl.acm.org/doi/10.1109/DSDE.2010.36
Jensen MLiao LSchwenk JDamiani EProctor SSingal A(2009)The curse of namespaces in the domain of XML signatureProceedings of the 2009 ACM workshop on Secure web services10.1145/1655121.1655129(29-36)Online publication date: 13-Nov-2009
https://dl.acm.org/doi/10.1145/1655121.1655129
Kokolakis SRizomiliotis PBenameur ASinha S(2009)Security and Dependability Solutions for Web Services and WorkflowsSecurity and Dependability for Ambient Intelligence10.1007/978-0-387-88775-3_6(97-106)Online publication date: 31-Mar-2009
https://doi.org/10.1007/978-0-387-88775-3_6
Sinha SSinha S(2008)Limitations of Web Service Security on SOAP Messages in a Document Production Workflow Environment2008 16th International Conference on Advanced Computing and Communications10.1109/ADCOM.2008.4760471(342-346)Online publication date: Dec-2008
https://doi.org/10.1109/ADCOM.2008.4760471

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure Conversation

Intrusion Resistant SOAP Messaging with IAPF

A formal construction of certificateless proxy multi-signature scheme