Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed.
Contents The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:
• XML and SOAP-based Web Services
XML Schema and WS-Policy
WS-Addressing und WS-Addressing Spoofing
XML Parsing (DOM vs SAX)
XML-specific Denial-of-Service Attacks
XML Security and WS-Security
◦ Why not SSL/TLS?
XML Signature
◦ ID-based and XPath-based XML Signatures
◦ XMLSignatureWrappingAttacks
XML Encryption
◦ Attacks on symmetric encryption
◦ Attacks on asymmetric encryption
WS-Attacker
SAML-based Single-Sign On
◦ Attacks
Requirements
A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported.