Towards a Semantic of XML Signature - How to Protect Against XML Wrapping Attacks Sebastian Gajek, Lijun Liao, Jörg Schwenk Horst-Görtz-Institut Ruhr-University.

Slides:

Advertisements

Similar presentations

Chungnam National University DataBase System Lab

Advertisements

XML III. Learning Objectives Formatting XML Documents: Overview Using Cascading Style Sheets to format XML documents Using XSL to format XML documents.

Advanced XSLT II. Iteration in XSLT we sometimes wish to apply the same transform to a set of nodes we iterate through a node set the node set is defined.

1 XSLT – eXtensible Stylesheet Language Transformations Modified Slides from Dr. Sagiv.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

XSLT (eXtensible Stylesheet Language Transformation) 1.

SOAP Quang Vinh Pham Simon De Baets Université Libre de Bruxelles1.

XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813.

XPath Eugenia Fernandez IUPUI. XML Path Language (XPath) a data model for representing an XML document as an abstract node tree a mechanism for addressing.

1 CP3024 Lecture 9 XML revisited, XSL, XSLT, XPath, XSL Formatting Objects.

XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302

XSL Concepts Lecture 7. XML Display Options What can XSL Transformations do? generation of constant text suppression of content moving text (e.g., exchanging.

WSDL Web Services Description Language Neet Wadhwani University of Colorado 3 rd October, 2001.

September 15, 2003Houssam Haitof1 XSL Transformation Houssam Haitof.

17 Apr 2002 XML Stylesheets Andy Clark. What Is It? Extensible Stylesheet Language (XSL) Language for document transformation – Transformation (XSLT)

Overview of XPath Author: Dan McCreary Date: October, 2008 Version: 0.2 with TEI Examples M D.

1 Web Services Security XML Encryption, XML Signature and WS-Security.

1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky.

10/06/041 XSLT: crash course or Programming Language Design Principle XSLT-intro.ppt 10, Jun, 2004.

Sheet 1XML Technology in E-Commerce 2001Lecture 6 XML Technology in E-Commerce Lecture 6 XPointer, XSLT.

Pragmatic XML security Hans Granqvist, ApacheCon 2005.

Navigating XML. Overview  Xpath is a non-xml syntax to be used with XSLT and Xpointer. Its purpose according to the W3.org is  to address parts of an.

CSE3201/CSE4500 XPath. 2 XPath A locator for elements or attributes in an XML document. XPath expression gives direction.

Copyright © 2012 Accenture All Rights Reserved.Copyright © 2012 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are.

Xpath Xlink Xpointer Xquery Sources:

XSLT for Data Manipulation By: April Fleming. What We Will Cover The What, Why, When, and How of XSLT What tools you will need to get started A sample.

CSE3201/CSE4500 Information Retrieval Systems

XP New Perspectives on XML Tutorial 6 1 TUTORIAL 6 XSLT Tutorial – Carey ISBN

CIS 451: XSL Dr. Ralph Westfall February, Problems With XML no formatting capabilities contra formatting tags like, etc. in HTML CSS can be used.

Representing Web Data: XML CSI 3140 WWW Structures, Techniques and Standards.

WORKING WITH XSLT AND XPATH

XML Signature Prabath Siriwardena Director, Security Architecture.

1 CIS336 Website design, implementation and management (also Semester 2 of CIS219, CIS221 and IT226) Lecture 6 XSLT (Based on Møller and Schwartzbach,

Web Server Administration Web Services XML SOAP. Overview What are web services and what do they do? What is XML? What is SOAP? How are they all connected?

Intro. to XML & XML DB Bun Yue Professor, CS/CIS UHCL.

Processing of structured documents Spring 2002, Part 2 Helena Ahonen-Myka.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

Processing of structured documents Spring 2003, Part 7 Helena Ahonen-Myka.

ECA 228 Internet/Intranet Design I XSLT Example. ECA 228 Internet/Intranet Design I 2 CSS Limitations cannot modify content cannot insert additional text.

JSTL, XML and XSLT An introduction to JSP Standard Tag Library and XML/XSLT transformation for Web layout.

CITA 330 Section 6 XSLT. Transforming XML Documents to XHTML Documents XSLT is an XML dialect which is declared under namespace "

XSLT Kanda Runapongsa Dept. of Computer Engineering Khon Kaen University.

August Chapter 6 - XPath & XPointer Learning XML by Erik T. Ray Slides were developed by Jack Davis College of Information Science and Technology.

1 WSDL Tutorial Heather Kreger (borrowed from Peter Brittenham) Web Services Architect IBM Emerging Technologies.

Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014.

1 Overview of XSL. 2 Outline We will use Roger Costello’s tutorial The purpose of this presentation is  To give a quick overview of XSL  To describe.

Internet Technologies Review Week 1 How does Jigsaw differ from EchoServer.java? What abstractions are made available to the servlet writer (under.

Establishing a foundation for web services Ashraf Memon.

Schematron Tim Bornholtz. Schema languages Many people turn to schema languages when they want to be sure that an XML instance follows certain rules –DTD.

CS 157B: Database Management Systems II February 11 Class Meeting Department of Computer Science San Jose State University Spring 2013 Instructor: Ron.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 4 1COMP9321, 15s2, Week.

Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume.

More XML XPATH, XSLT CS 431 – February 23, 2005 Carl Lagoze – Cornell University.

CSE3201/CSE4500 XPath. 2 XPath A locator for items in XML document. XPath expression gives direction of navigation.

Evaluation Biztalk Table of Contents Introduction to XML. Anatomy of an XML document. What is an XML Schema? What is SOAP? XML Web Services overview.

1 G52IWS: Web Services Description Language (WSDL) Chris Greenhalgh

1 XPath. 2 Agenda XPath Introduction XPath Nodes XPath Syntax XPath Operators XPath Q&A.

Jackson, Web Technologies: A Computer Science Perspective, © 2007 Prentice-Hall, Inc. All rights reserved Chapter 7 Representing Web Data:

5 Copyright © 2004, Oracle. All rights reserved. Navigating XML Documents by Using XPath.

1 XSL Transformations (XSLT). 2 XSLT XSLT is a language for transforming XML documents into XHTML documents or to other XML documents. XSLT uses XPath.

XSLT, XML Schema, and XPath Matt McClelland. Introduction XML Schema ▫Defines the content and structure of XML data. XSLT ▫Used to transform XML documents.

XML Notes taken from w3schools. What is XML? XML stands for EXtensible Markup Language. XML was designed to store and transport data. XML was designed.

Unit 4 Representing Web Data: XML

XML in Web Technologies

S/MIME T ANANDHAN.

Database Processing with XML

Chapter 7 Representing Web Data: XML

Web Server Administration

Presentation transcript:

Towards a Semantic of XML Signature - How to Protect Against XML Wrapping Attacks Sebastian Gajek, Lijun Liao, Jörg Schwenk Horst-Görtz-Institut Ruhr-University Bochum, Germany Presented by Michael McIntosh Java and Web Services Security Group Security, Privacy, and Extensible Technologies Department IBM Research

Overview XML Wrapping Attacks (McIntosh and Austel 2005) Receiver-side Protection: –Strict Filtering –Returning a Spanning Tree –Returning Location Hints Sender-side Protection: –XPath Towards a formal Semantic for XML Signature

Vulnerability: SOAP and XML Signature logics process data independently. That is, when signed data located at wsu:id is valid then the content is processed by SOAP engine. XML Wrapping Attacks (McIntosh and Austel 2005) soap: envelope soap: headersoap: body wsse:security ds:signature ds:signedInfo ds:reference uri=“#theBody“ wsu:Id=“theBody“ getQuote Symbol=“IBM“ The original document: The SOAP Body is signed and referenced by a wsu:id attribute; signature verification returns Boolean value.

XML Wrapping Attacks (McIntosh and Austel 2005) The modified document: The same data is signed and referenced by a wsu:id attribute, but the SOAP Body has changed. soap: envelope soap: headersoap: body wsse:security ds:signature ds:signedInfo ds:reference uri=“#theBody“ wsu:Id=“newBody“ getQuote Symbol=“MBI“ soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“ Wrapper

XML Wrapping Attacks (McIntosh and Austel 2005) Summary Wrapping Attacks do not change the semantics of XML signatures using wsu:id However it would be useful to be able to detect such modification For other signature formats (OpenPGP, PKCS#7) it is sufficient to return a Boolean value after verification; for XML Signature, this is no longer the case

Receiver-side Protection: Strict Filtering Solution 1: Business Logic only gets the signed data Signature verification is located as a filter between the network and the Business Logic Effect: Only the following XML fragment is forwarded to the Business Logic Problems: Transform within each -Element may result in non-XML data. soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“

Receiver-side Protection: Returning a Spanning Tree Solution 2: The signature verification function returns the signed data plus all elements up to the root of the document Effect: The Business Logic can compare the actual (vertical) position of the signed data with its expectations soap: envelope soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“ soap: envelope soap: header soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“ Wrapper Spanning Tree of the original document Spanning Tree of the modified document

Receiver-side Protection: Returning Location Hints Solution 3: The signature verification function returns the signed data plus an absolute XPath describing its (vertical) position Effect: The Business Logic can compare the actual (vertical) position of the signed data with its expectations Location hint for the original document Location hint for the modified document soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“ soap: body wsu:Id=“theBody“ getQuote Symbol=“IBM“ + /Envelope/Body + /Envelope/Header/Wrapper/Body

Sender-side Protection: XPath Solution 4: The sender fixes the position of the signed data via XPath Either XPath transform (Version 1 or 2) or XPointer argument in URI (not yet tested) Effect: Any modification to the document changing the position of the signed data will be detected

Future Work: Towards a formal Semantic for XML Signature The XML Signature standard contains useful (e.g., XPath) and dangerous (e.g., XSLT) transforms. A formal semantics should help understand which parts of an XML document are protected by the signature. The most important part is to understand how the different types of URIs and XPath transform influence the protected parts. Known formal semantics for XPath in XSLT are not clear enough because they only map to (unordered) XML nodesets. A future semantic for XPath/URIs in XML Signature should map into (mathematical) trees/forests, along the lines of solution 2.

A Hybrid Solution Use an IDREF in the Signature Reference Use a Transform –With Path (XPath syntax) from Root to Referenced Element –Processing verifies Path Output = Input if Path matches Output != Input if Path does not match Assumes implementation has access to equivalent of Node::getParent