axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (RAMPART-428) rampart passes the soap body different from the one used in validating against soap signature
Date Tue, 11 Aug 2015 18:43:45 GMT
Daniel created RAMPART-428:
------------------------------

             Summary: rampart passes the soap body different from the one used in validating
against soap signature 
                 Key: RAMPART-428
                 URL: https://issues.apache.org/jira/browse/RAMPART-428
             Project: Rampart
          Issue Type: Bug
    Affects Versions: 1.6.2
            Reporter: Daniel


our hacking scenario:

1. the hacker first acquires a valid soap signature, including soap header and body
2. the hacker attacks the service by replaying the acquired soap message as follows: 

<soap envelope>
<(replayed valid) soap header>
    ...
    <wrapper>
        <(replayed valid) soap body>...</soap body>
    </wrapper>
</soap header>
<(new arbitrary) soap body>
    ...
</soap body>
</soap envelope>

3. the soap message in 2. will pass rampart's signature verification as it uses the valid
(replayed) body to check against the valid (replayed) signature. However, the problem is that
rampart passes to applications the new (arbitrary) soap body, which effectively bypasses the
security mechanism of xml signature. To foil the hack, rampart can pass the (replayed) body
it checks against the (replayed) signature instead of the new (arbitrary) one. 

4. security policy that we use:
            <wsp:Policy wsu:Id="SigOnly"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsp:ExactlyOne>
                    <wsp:All>
                        <sp:AsymmetricBinding
                            xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                            <wsp:Policy>
                                <sp:InitiatorToken>
                                    <wsp:Policy>
                                        <sp:X509Token
                                            sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                            <wsp:Policy>
                                                <sp:RequireThumbprintReference />
                                                <sp:WssX509V3Token10 />
                                            </wsp:Policy>
                                        </sp:X509Token>
                                    </wsp:Policy>
                                </sp:InitiatorToken>
                                <sp:RecipientToken>
                                    <wsp:Policy>
                                        <sp:X509Token
                                            sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                            <wsp:Policy>
                                                <sp:RequireThumbprintReference />
                                                <sp:WssX509V3Token10 />
                                            </wsp:Policy>
                                        </sp:X509Token>
                                    </wsp:Policy>
                                </sp:RecipientToken>
                                <sp:AlgorithmSuite>
                                    <wsp:Policy>
                                        <sp:TripleDesRsa15 />
                                    </wsp:Policy>
                                </sp:AlgorithmSuite>
                                <sp:Layout>
                                    <wsp:Policy>
                                        <sp:Strict />
                                    </wsp:Policy>
                                </sp:Layout>
                            </wsp:Policy>
                        </sp:AsymmetricBinding>
                        <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                            <wsp:Policy>
                                <sp:MustSupportRefKeyIdentifier />
                                <sp:MustSupportRefIssuerSerial />
                            </wsp:Policy>
                        </sp:Wss10>

                        <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                            <sp:Body />
                            <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"
/>
                            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"
/>
                        </sp:SignedParts>
                    </wsp:All>
                </wsp:ExactlyOne>
            </wsp:Policy>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message