This attack utlizes a Rest(REpresentational State Transfer)-style
applications' trust in the system resources and environment to place man in
the middle once SSL is terminated. Rest applications premise is that they
leverage existing infrastructure to deliver web services functionality. An
example of this is a Rest application that uses HTTP Get methods and
receives a HTTP response with a XML document. These Rest style web services
are deployed on existing infrastructure such as Apache and IIS web servers
with no SOAP stack required. Unfortunately from a security standpoint, there
frequently is no interoperable identity security mechanism deployed, so Rest
developers often fall back to SSL to deliver security. In large data
centers, SSL is typically terminated at the edge of the network - at the
firewall, load balancer, or router. Once the SSL is terminated the HTTP
request is in the clear (unless developers have hashed or encrypted the
values, but this is rare). The attacker can utilize a sniffer such as
Wireshark to snapshot the credentials, such as username and password that
are passed in the clear once SSL is terminated.
Once the attacker gathers these credentials, they can submit requests to
the web service provider just as authorized user do. There is not typically
an authentication on the client side, beyond what is passed in the request
itself so once this is compromised, then this is generally sufficient to
compromise the service's authentication scheme.
Attack Prerequisites
Opportuntity to intercept must exist beyond the poing where SSL is
terminated.
The attacker must be able to insert a listener actively (proxying the
communication) or passively (sniffing the communication) in the
client-server communication path.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Protocol Manipulation
Injection
Examples-Instances
Description
The Rest service provider uses SSL to protect the communications
between the service requester (client) to the service provider. In the
instance where SSL is terminated before the communications reach the web
server, it is very common in enterprise data centers to terminate SSL at
a router, firewall, load balancer, proxy or other device, then the
attacker can insert a sniffer into the communication stream and gather
all the authentication tokens (such as session credentials,
username/passwords combinations, and so on). The Rest service requester
and service provider do not have any way to detect this attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To insert a network sniffer or other listener into the communication
stream
Probing Techniques
Attacker may use a network sniffer to identify authentication credentials
once SSL is terminated.
Solutions and Mitigations
Implementation: Implement message level security such as HMAC in the HTTP
communication
Design: Utilize defense in depth, do not rely on a single security
mechanism like SSL
Design: Enforce principle of least privilege
Attack Motivation-Consequences
Privilege Escalation
Injection Vector
HTTP protocol communications
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
