1、,Attacking XML Security,Brad Hill Principal Security Consultant ,1,Agenda,Introduction Who am I? Why care about XML Security?How do XML Digital Signatures work?How to build a cross-platform worm in XML!Can we use this technology safely?,2,Special Thanks to:,Alex Stamos & Scott Stender, iSEC Partners
2、 “Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps” http:/ Kaminsky of DoxPara & IOActiveDr. Laurence Bull of Monash University, AustraliaDr. Brian LaMacchia of Microsoft CorporationAndreas Junestam, Jesse Burns, Chris Clark and Chris Palmer of iSEC Partners,3,Introduction,W
3、ho am I?Principal Security Consultant for iSEC PartnersApplication security consultants and researchersBased in San Francisco and Seattle, USATo get the latest version of these slides: https:/ care about XML Security?,Web Services have gone mainstream: SOA & B2B integration Web Single Sign On And ev
4、erybody has XML applications. Its lurking more places than you might think: Mobile code manifests Printing DRM & software licensing P3P Digital identity systems,5,Two years ago,Alex Stamos & Scott Stender of iSEC present: “Attacking Web Services: The Next Generation of Vulnerable Enterprise Applicat
5、ions”Web Services can be scary: Valuable Visible Vulnerable,6,Web Service application-level attacks,The OWASP Top 10 still apply to Web ServicesOld flaws like SQL injectionAnd new flaws like XML and XPath injectionPlus complexity attacks and denial of services against XML parsers and applications,7,
6、Todays topic is protocol-level attacks,Alex & Scotts talk has been widely noted.One of the few things followers have added is (and which they deliberately didnt)WS-Security to save the day! (or not),8,Why XMLDSIG & XMLENC?,For meI didnt really set out to look at it, specifically.IANAC (I am not a Cr
7、yptographer)I thought: “Just a signature with angle brackets.”Lots of new applications and platforms being built on Web Services.Not a lot of security testing tools yet.,9,Building an attack proxy,I wanted a tool like WebScarab or Fiddler for attacking Web Services utilizing WS-Security.First order
8、of business was fixing up XML Signatures.Then I found this in the interop vectors while doing unit testing: ( Merlin Hughes, Baltimore Technologies, 2002),10,foobar60NvZvtdTB+7UnlLp/H24p7h4bs=60NvZvtdTB+7UnlLp/H24p7h4bs=self:text()zyjp8GJOX69990Kkqw8ioPXGExk=.,11,qg4HFwsN+/WX32uH85WlJU9l45k=ETlEI3y7
9、hvvAtMe9wQSz7LhbHEE=J/O0HhdaPXxx49fgGWMESL09GpA=J/O0HhdaPXxx49fgGWMESL09GpA=J/O0HhdaPXxx49fgGWMESL09GpA=MkL9CX8yeABBth1RChyPx58Ls8w=.,12,WvZUJAJ/3QNqzQvwne2vvy7U5Pck8ZZ5UTa6pIwR7GE+PoGi6A1kyw=ancestor-or-self:dsig:X509DataI am the text.SSBhbSB0aGUgdGV4dC4=60NvZvtdTB+7UnlLp/H24p7h4bs=qURlo3LSq4TWQtyg
10、BZJ0iXQ9E14=Notaries .,13,CN=Merlin Hughes,OU=X/Secure,O=Baltimore Technologies Ltd.,ST=Dublin,C=IECN=Transient CA,OU=X/Secure,O=Baltimore Technologies Ltd.,ST=Dublin,C=IE1017788370348MIIDUDCCAxCgAwIBAgIGAOz46g2sMAkGByqGSM44BAMwbjELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEkMCIGA1UEChMbQmFsdGltb3JlIFRl
11、Y2hub2xvZ2llcyBMdGQuMREwDwYDVQQLEwhYL1NlY3VyZTEVMBMGA1UEAxMMVHJhbnNpZW50IENBMB4XDTAyMDQwMjIyNTkzMFoXDTEyMDQwMjIxNTkyNVowbzELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEkMCIGA1UEChMbQmFsdGltb3JlIFRlY2hub2xvZ2llcyBMdGQuMREwDwYDVQQLEwhYL1NlY3VyZTEWMBQGA1UEAxMNTWVybGluIEh1Z2hlczCCAbcwggEsBgcqhkjOOAQBMIIBHwKB
12、gQDd454C+qcTIWlb65NKCt2PtguNpOSnId5woUigu7xBk2QZNAjVyIhMEfSWp8iR0IdKLx+JQLcNOrcn0Wwl5/hhW0MXsmlS8dM5Cq2rtmDHooLxbGTPqtALE6vsXQCk5iLz3MtGh7gyQMZ7q7HT5a3I5NChUgY1MMNQVetRA1susQIVAIQy3BStBjvx89Wq8Tjr7IDP1S8lAoGBAJ58e4W3VqMxm7ZxYJ2xZ6KX0Ze10WnKZDyURn+T9iFIFbKRFElKDeotXwwXwYON8yre3ZRGkC+2+fiU2bdzIWTT6LMb
13、IMVbk+07P4OZOxJ6XWL9GuYcOQcNvX42xh34DPHdq4XdlItMR25NA+OdZ4S8VVrpb4jkj4cyir1628kgA4GEAAKBgHH2KYoaQEHnqWzRUuDAG0EYXV6Q4ucC68MROYSL6GKqNS/AUFbvH2NUxQD7aGntYgYPxiCcj94i38rgSWg7ySSz99MAR/Yv7OSd+uej3r6TlXU34u+xYvRo+sv4m9lb/jmXyZJKeC+dPqeU1IT5kCybURLILZfrZyDsiU/vhvVozowODAOBgNVHQ8BAf8EBAMCB4AwEQYDVR0OBAoEC
14、IatY7SElXEOMBMGA1UdIwQMMAqACIOGPkB2MuKTMAkGByqGSM44BAMDLwAwLAIUSvT02iQjQ5da4Wpe0Bvs7GuCcVsCFCEcQpbjUfnxXFXNWiFyQ49ZrWqnMIIDSzCCAwugAwIBAgIGAOz46fwJMAkGByqGSM44BAMwbjELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEkMCIGA1UEChMbQmFsdGltb3JlIFRlY2hub2xvZ2llcyBMdGQuMREwDwYDVQQLEwhYL1NlY3VyZTEVMBMGA1UEAxMMVHJhb
15、nNpZW50IENBMB4XDTAyMDQwMjIyNTkyNVoXDTEyMDQwMjIxNTkyNVowbjELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEkMCIGA1UEChMbQmFsdGltb3JlIFRlY2hub2xvZ2llcyBMdGQuMREwDwYDVQQLEwhYL1NlY3VyZTEVMBMGA1UEAxMMVHJhbnNpZW50IENB.,14,Thats no Cryptographic Integrity Primitive,Its an application protocol!,15,Generality = Comp
16、lexity = Vulnerability -Tim Newsham, iSEC Partners,That signature definitely looked like there was fertile ground for misuse by developers and clients.Its complex enough to even present a fair bit of trouble for implementers intimately familiar with the specification.,16,But not a lot of public atte
17、ntion yet.,There have been excellent papers on several of the WS-* security standards in the academic world.Worth searching the ACM, Springer or IEEE libraries for.http:/ are even full formal proofs of some of these protocols.But they often start with sentences like: “Assume that the participating c
18、omputers and the users browser B are correct.”,17,A formally correct mechanism for putting burning logs right in the middle of your house, safely.,What the architect designed,18,Photo Credit: Jeff Leighton, Inspect-It 1st Property Inspection. Used with permission.,What the reviewer sometimes finds:,
19、19,Attack Surface Analysis,Typical for applications start with a threat model. Enumerate all the entry points, interfaces and operations. Which are anonymously accessible? Available to authenticated users? Authorized to all users, administrators, or an individual user? Locally or remotely accessible
20、? Complexity of inputs or operations, dependencies, assumptions.,20,HTTPS (a bit simplified),A,B,TLS,Message1,Per-session key exchangeOnly X.509 certificates supported as keysMultiple messages over single sessionNo preservation of evidence,Difficult to compose with reliable deliveryOpaque to interme
21、diariesMessages only protected in the channelForward secrecy with DH key exchange,Channel privacy & integrity with KSESSION,Symmetric KSESSION derived from X.509 certs & DH key exchange,Messagen,21,Encrypt KB,Sign KC,WS-Security (One of many possibilities.),A,B,C,M,Sign KA,Mp1 Mp2,Sign KA,D,Durable
22、securitySelective securityMixed key/token typesMixed key exchange,HTTP HTTPS JMS TCP,Intermediate actorsComposable assertionsTransport agnostic,KB,Kc,Mp3,Mp1 Mp2,22,23,HTTP,XML, SOAP, WSDL, Schema, WS-Addressing, etc.,XML Digital Signatures,XML Encryption,SAML,Kerberos,X.509,Security Token Profiles,
23、WS-Trust,WS-Federation,WS-SecureConversation,WS-Policy,WS-Security Policy,WS-Security,.Net TCP Channel, Fast InfoSet, etc.,WS-Actually Get Some Work Done,SSL,24,SSL,25,HTTP,XML, SOAP, WSDL, Schema, WS-Addressing, etc.,XML Digital Signatures,XML Encryption,SAML,Kerberos,X.509,Security Token Profiles,
24、WS-Trust,WS-Federation,WS-SecureConversation,WS-Policy,WS-Security Policy,WS-Security,.Net TCP Channel, Fast InfoSet, etc.,Goals of XMLDSIG in WS-Security,Sign arbitrary digital content.Sign the semantic intent of an XML document, (the “InfoSet”) not an octet stream. (binary XML encoding compatibili
25、ty)Cryptographic algorithm and key format agility.Indirected and flexible referencing of the signed content.Optionally supply keying info as part of the signature, with flexible referencing thereof.Allow exclusion of portions of content from the signature.,26,Counter-intuitive Integrity,Lots of stuf
26、f can change without invalidating the signature.Important if youre building a complex WS-* processing pipeline with XML firewalls, security gateways, reliable messaging proxies, etc.But tricky & dangerous when you dont need all that stuff.,27,The Structure & Properties of XML Digital Signatures,28,J
27、PEG,Content to Sign,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=,Jxk7ND0/NqxnU7522uKzzi2/vx=,Hash,XML Metadata,URI Reference,Hash,MF298zmadkae3/4nsf7a43j8vnB,Key,Signature,ov3HOoPN0w71N3DdGNhN+dSzQm6NJFUB5qGKRp9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KEcPtEJSaoR+thGq+GPIhmZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSZSxGKnRG
28、+Z/0GJIfTz8jhH6wCe3l03L4=,29,Basic structure of an XMLDSIG,Signed Info Metadata describing the content being signed.Signature Value Signature of the digest of the Signed Info metadataKey Info Metadata about or the actual key used.,30,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=ov3HOoPN0w71N3DdGNhN+dSzQm6NJFUB5qGKRp
29、9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KEcPtEJSaoR+thGq+GPIh2mZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSMZSxGKnRG+Z/0GJIfTz8jhH6wCe3l03L4=q07hpxA5DGFfvJFZueFl/LI85XxQxrvqgVugL25V090A9MrlLBg5PmAsxFTe+G6axvWJQwYOVHj/nuiCnNLa9a7uAtPFiTtW+v5H3wlLaY3ws4atRBNOQlYkIBp38sTfQBkk4i8PEU1GQ2M0CLIJq4/2Akfv1wxzSQ9+8oW
30、kArc=AQABsome text ,31,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=ov3HOoPN0w71N3DdGNhN+dSzQm6NJFUB5qGKRp9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KEcPtEJSaoR+thGq+GPIh2mZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSMZSxGKnRG+Z/0GJIfTz8jhH6wCe3l03L4=q07hpxA5DGFfvJFZueFl/LI85XxQxrvqgVugL25V090A9MrlLBg5PmAsxFTe+G6axvWJQwYOVHj/nu
31、iCnNLa9a7uAtPFiTtW+v5H3wlLaY3ws4atRBNOQlYkIBp38sTfQBkk4i8PEU1GQ2M0CLIJq4/2Akfv1wxzSQ9+8oWkArc=AQABsome text ,32,The simplest of our elements.Base64 encoded signature of the digest of the canonicalized element. Worth repeating: XMLDSIGs are indirected signatures. It is a signature of the hash of the
32、metadata about the signed data.,33,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=ov3HOoPN0w71N3DdGNhN+dSzQm6NJFUB5qGKRp9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KEcPtEJSaoR+thGq+GPIh2mZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSMZSxGKnRG+Z/0GJIfTz8jhH6wCe3l03L4=q07hpxA5DGFfvJFZueFl/LI85XxQxrvqgVugL25V090A9MrlLBg5PmAsxFTe+G6axv
33、WJQwYOVHj/nuiCnNLa9a7uAtPFiTtW+v5H3wlLaY3ws4atRBNOQlYkIBp38sTfQBkk4i8PEU1GQ2M0CLIJq4/2Akfv1wxzSQ9+8oWkArc=AQABsome text ,34,: Content Metadata,Canonicalization MethodSignature MethodOne or more References Transforms Digest Method Digest Value,35,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=ov3HOoPN0w71N3DdGNhN+dSzQm
34、6NJFUB5qGKRp9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KEcPtEJSaoR+thGq+GPIh2mZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSMZSxGKnRG+Z/0GJIfTz8jhH6wCe3l03L4=q07hpxA5DGFfvJFZueFl/LI85XxQxrvqgVugL25V090A9MrlLBg5PmAsxFTe+G6axvWJQwYOVHj/nuiCnNLa9a7uAtPFiTtW+v5H3wlLaY3ws4atRBNOQlYkIBp38sTfQBkk4i8PEU1GQ2M0CLIJq4/2Akf
35、v1wxzSQ9+8oWkArc=AQABsome text ,36,Canonicalization (C14N),How to get the One True Bag of Bits in an XML node set. Required for the element Optional for a (to external, non-XML content)Eliminate or normalize non-semantic variability from the signed content. Namespaces Whitespace Comments CDATA Entit
36、ies Also important for binary XML encodingSome Type 2 error (false negatives). Difficult to debug, but not especially problematic from a security perspective.,37,Theme: Mismatched assumptions.,Matching security assumptions and assertions to your audience is important.Standards committees and archite
37、cts with deep domain knowledge have a ways to go in learning to think like an average developer.,38,The Average Developer,Is Lazy. One of the characteristics of all great programmers.Probably does care about security. But certificates, SSL, Kerberos, etc. are magic.Trusts the API developer. No choic
38、e if you want to get stuff done. A lot of trust for security APIs.,39,Assumption 1: Complexity & DoS,Standards Committee:“Its XML there are many ways to introduce arbitrary complexity and denial of service is just a given. Its not our problem.”,40,Assumption 1: Complexity & DoS,Security-minded devel
39、oper:“I wish XML were less complex, but if I follow best practices I can do it safely.”Dont allow DTDs Dont expand entities Dont resolve externals Limit parse depth Limit total input sizeThis isnt actually a bad assumption!,41,Remember these best-practices for safe XML processing.We will see how XML
40、 Signatures force you to violate almost all of them!,Assumption 1: Complexity & DoS,Average Developer:“I authenticate my XML inputs with a signature now, so I dont have to worry about all that stuff.”,42,C14N Entity Expansion Attacks,C14Ns treatment of entities requires expansion.DoS attacks are pos
41、sible here using recursive entity expansion.Have to canonicalize to check signature, so this is anonymous attack surface.DTDs disallowed in SOAP, but this attack can apply to other systems, e.g. SAML processors.,43,Example Entity Expansion,This document expands to around 2 GB when parsed: fooo bar ,
42、44,C14N is expensive, in general.,A somewhat complex algorithm with large resource requirements. Build a DOM, validate, canonicalize, serialize.Schema and specification do not limit the number of C14N transforms that may be applied to a reference.Could detect and optimize away redundant C14N, but I
43、have not seen anyone do this yet.,45,46,C14N with Comments & Hash Collisions,OPTIONAL algorithm, but almost always supportedComments may be semantically significant in the doc. But are they ever in the metadata? Almost certainly not even examined.An unusual degree of freedom in crafting a hash colli
44、sion that is still well-formed and doesnt disturb application semantics. Still beyond todays state of the art, but maybe not for long.Paranoid implementation should disallow C14N with comments for ,47,7/XTsHaBSOnJ/jXD5v0zL6VKYsk=ov3HOoPN0w71N3DdGNhN+dSzQm6NJFUB5qGKRp9Q986nVzMb8wCIVxCQu+x3vMtqp4/R3KE
45、cPtEJSaoR+thGq+GPIh2mZXyWJs3xHy9P4xmoTVwli7/l7s8ebDSmnbZ7xZU4Iy1BSMZSxGKnRG+Z/0GJIfTz8jhH6wCe3l03L4=q07hpxA5DGFfvJFZueFl/LI85XxQxrvqgVugL25V090A9MrlLBg5PmAsxFTe+G6axvWJQwYOVHj/nuiCnNLa9a7uAtPFiTtW+v5H3wlLaY3ws4atRBNOQlYkIBp38sTfQBkk4i8PEU1GQ2M0CLIJq4/2Akfv1wxzSQ9+8oWkArc=AQABsome text ,48,References
46、 describe what is being signed.Identify the signed content with a URI.Transforms to refine the specification or canonicalize.Specify the digest method and digest value.,49,All references are primarily identified by a URI.Full document reference: URI=“XPointer Bare: URI=“#object“ Object Reference: UR
47、I=“#xpointer(id(object)“ Same-document XPath: URI=“xpointer(/)“External reference: URI=“http:/www.w3.org/TR/xml-stylesheet“,50,Three types of signatures:Enveloping: References are descendants of the signature in the XML document.Enveloped: Signature is a descendant of the signed content.Detached: Si
48、gned content is a sibling or at an external location.,51,External References,Just failed another of our best practices.An attacker can insert a malicious external reference, and you have to chase it to see if the signature validates.No simple flag to turn this off in, e.g. Java APIs.Maybe not valid
49、in WS-Security context: “elements contained in the signature SHOULD refer to a resource within the enclosing SOAP envelope” http:/www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdfImportant to API clients.Callers need to provide a custom URIDereferencer implementation.,52,Time of Check, Time of Use,
