Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-428

rampart passes the soap body different from the one used in validating against soap signature

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.6.2
    • 2.0.0
    • None
    • None

    Description

      our hacking scenario:

      1. the hacker first acquires a valid soap signature, including soap header and body
      2. the hacker attacks the service by replaying the acquired soap message as follows:

      <soap envelope>
      <(replayed valid) soap header>
      ...
      <wrapper>
      <(replayed valid) soap body>...</soap body>
      </wrapper>
      </soap header>
      <(new arbitrary) soap body>
      ...
      </soap body>
      </soap envelope>

      3. the soap message in 2. will pass rampart's signature verification as it uses the valid (replayed) body to check against the valid (replayed) signature. However, the problem is that rampart passes to applications the new (arbitrary) soap body, which effectively bypasses the security mechanism of xml signature. To foil the hack, rampart can pass the (replayed) body it checks against the (replayed) signature instead of the new (arbitrary) one.

      4. security policy that we use:
      <wsp:Policy wsu:Id="SigOnly"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:AsymmetricBinding
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:InitiatorToken>
      <wsp:Policy>
      <sp:X509Token
      sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
      <wsp:Policy>
      <sp:RequireThumbprintReference />
      <sp:WssX509V3Token10 />
      </wsp:Policy>
      </sp:X509Token>
      </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
      <wsp:Policy>
      <sp:X509Token
      sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
      <wsp:Policy>
      <sp:RequireThumbprintReference />
      <sp:WssX509V3Token10 />
      </wsp:Policy>
      </sp:X509Token>
      </wsp:Policy>
      </sp:RecipientToken>
      <sp:AlgorithmSuite>
      <wsp:Policy>
      <sp:TripleDesRsa15 />
      </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
      <wsp:Policy>
      <sp:Strict />
      </wsp:Policy>
      </sp:Layout>
      </wsp:Policy>
      </sp:AsymmetricBinding>
      <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier />
      <sp:MustSupportRefIssuerSerial />
      </wsp:Policy>
      </sp:Wss10>

      <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:Body />
      <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
      </sp:SignedParts>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

      Attachments

        Activity

          People

            Unassigned Unassigned
            r8921039 Daniel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: