Daniel created RAMPART-428:
------------------------------
Summary: rampart passes the soap body different from the one used
in validating against soap signature
Key: RAMPART-428
URL: https://issues.apache.org/jira/browse/RAMPART-428
Project: Rampart
Issue Type: Bug
Affects Versions: 1.6.2
Reporter: Daniel
our hacking scenario:
1. the hacker first acquires a valid soap signature, including soap header and
body
2. the hacker attacks the service by replaying the acquired soap message as
follows:
<soap envelope>
<(replayed valid) soap header>
...
<wrapper>
<(replayed valid) soap body>...</soap body>
</wrapper>
</soap header>
<(new arbitrary) soap body>
...
</soap body>
</soap envelope>
3. the soap message in 2. will pass rampart's signature verification as it uses
the valid (replayed) body to check against the valid (replayed) signature.
However, the problem is that rampart passes to applications the new (arbitrary)
soap body, which effectively bypasses the security mechanism of xml signature.
To foil the hack, rampart can pass the (replayed) body it checks against the
(replayed) signature instead of the new (arbitrary) one.
4. security policy that we use:
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference
/>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference
/>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
