[
https://issues.apache.org/jira/browse/RAMPART-428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated RAMPART-428:
------------------------------------
Fix Version/s: 2.0.0
> rampart passes the soap body different from the one used in validating
> against soap signature
> ----------------------------------------------------------------------------------------------
>
> Key: RAMPART-428
> URL: https://issues.apache.org/jira/browse/RAMPART-428
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.6.2
> Reporter: Daniel
> Priority: Major
> Fix For: 2.0.0
>
>
> our hacking scenario:
> 1. the hacker first acquires a valid soap signature, including soap header
> and body
> 2. the hacker attacks the service by replaying the acquired soap message as
> follows:
> <soap envelope>
> <(replayed valid) soap header>
> ...
> <wrapper>
> <(replayed valid) soap body>...</soap body>
> </wrapper>
> </soap header>
> <(new arbitrary) soap body>
> ...
> </soap body>
> </soap envelope>
> 3. the soap message in 2. will pass rampart's signature verification as it
> uses the valid (replayed) body to check against the valid (replayed)
> signature. However, the problem is that rampart passes to applications the
> new (arbitrary) soap body, which effectively bypasses the security mechanism
> of xml signature. To foil the hack, rampart can pass the (replayed) body it
> checks against the (replayed) signature instead of the new (arbitrary) one.
> 4. security policy that we use:
> <wsp:Policy wsu:Id="SigOnly"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
>
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Body />
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"; />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"; />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
