WS-Attacker is a penetration testing tool, whose aim is to test Web Service specific attacks. It provides attacks, which are far beyond typical Web attacks like SQL injection and XSS. For example, in last blog post, WS-Attacker and its XML Signature wrapping attacks were introduced: http://web-in-security.blogspot.de/2015/04/introduction-to-ws-attacker-xml.html
Today, we released a new version of our WS-Attacker framework: https://github.com/RUB-NDS/WS-Attacker
The new version includes some additional features and bug fixes. For example, WS-Attacker now allows you to define an HTTP/HTTPS proxy for forwarding the generated XML attack messages. This gives you the opportunity to send all the WS-Attacker messages through BurpSuite or OWASP ZAP, and analyze their content or resend them to the Web Service.
However, most importantly, the newest WS-Attacker version includes a plugin for automatic XML Encryption attacks. The plugin was implemented by our student Dennis Kupser.
In this blog post, I am going to show you how to use the plugin to attack an IBM Datapower Web Service and decrypt an encrypted content. Please note that these attacks are also applicable to other services as well.
XML Encryption AttacksXML Encryption is a W3C standard used for encryption of XML documents. It is typically used in Web Services applications or for encryption of SAML tokens in Single Sign-On scenarios.
XML Encryption defines (among others) two cryptographic algorithms: RSA PKCS#1 v1.5 and AES/3DES in CBC (Cipher Block Chaining) mode of operation. These two algorithms are vulnerable to so called adaptive chosen ciphertext attacks, which has been shown in many practical examples. Thus, it is not surprising that XML Encryption applications were found to be vulnerable to those attacks:
- In 2011, we presented a paper on How to Break XML Encryption, which showed how to attack symmetric key encryption algorithms in CBC mode: https://www.nds.rub.de/research/publications/breaking-xml-encryption/. The idea is very similar to the typical padding oracle attacks, it is just a slightly more complicated, since we use XML parsing errors as a side-channel. A very good summary on this attack gives Matthew Green: http://blog.cryptographyengineering.com/2011/10/attack-of-week-xml-encryption.html
- In 2012, we showed how to apply Bleichenbacher's attack on the asymmetric encryption algorithm (RSA PKCS#1) in XML Encryption: https://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/. A summary on Bleichenbacher's attack is given on our blog: http://web-in-security.blogspot.de/2014/08/old-attacks-on-new-tls-implementations.html
Attacking XML Encryption in Web Services
- Elements: list of EncryptedKey elements contained in this message. This message contains only one EncryptedKey element, but there are more complicated scenarios, where messages include more ciphertexts. This option allows us then to choose, which of the encrypted elements is going to be attacked.
- Attack: we can choose between CBC and PKCS#1 attack. Now, we work with the CBC attacks.
- Wrapping attack: If the message contains an XML Signature to protect message authenticity, we can automatically adapt Wrapping attacks to overcome the authenticity check (see previous blog post). In the tested message, there is no XML Signature so I use NO_WRAP.
- String Compare: In order to apply oracle attacks, we have to map real server responses to "oracle" responses. Real responses can however contain timestamps and message ids, which can make the mapping complicated. String comparison methods allow us to define thresholds for message similarities. This makes mapping much easier. I typically use the default Dice-coefficient method with a threshold 0.9.
If you use Burp Suite, you can of course follow the whole communication and, if needed, resend some requests:
However, it is possible to execute certain XML Signature Wrapping attacks or XML Encryption Wrapping attacks to enforce an unsigned content to be decrypted. This allows again for attacks on XML Encryption.
In the next blog post (if I am not too lazy to write it :) ), I will present how to attack an IBM Datapower Web Service, which enforces usage of XML Signature and XML Encryption...
The XML Encryption Plugin has already been used to analyze several XML frameworks. One publicly available result can be seen here: http://coheigea.blogspot.co.at/2015/02/two-new-security-advisories-released.html