BPEL State Deviation

From WS-Attacks
Jump to navigation Jump to search

Attack description

As BPEL processes need to be called by external communication partners, a BPEL engine provides Web Service endpoints accepting every possible incoming message.

Attack subtypes

Two subtypes are defined:

  1. BPEL Correlation Invalidation
    Due to the fact that one BPEL process may have many process instances running concurrently, these communication endpoints are open for incoming connections at any time. Thus, a malicious Web Service client might attack these open Web Service endpoints using messages that are correct regarding their message structure, but that are not properly correlated to any existing process instance. These correlation-invalid messages will be discarded within the BPEL engine, but they cause a huge amount of redundant work. Each message must be read and processed completely, searching all existing process instances for a match, before the message may be safely discarded. Thus, the computational resources of the BPEL engine get exhausted by processing such invalid messages.
    Example: The following attack was executed against a BPEL engine running one BPEL process. The process contained amongst other activities a sequence of two receive activities first and second, with the first initiating a new process instance. Additionally, the process defines a number of correlation properties for process instance identification. The attack used SOAP messages invoking a second operation containing correlation properties that did not match to any running process instance. The BPEL engine was attacked by a sequence of 1000 messages, summing up to a total payload of 0.5 MB. The attack messages were correctly discarded by the BPEL engine but resulted in an additional memory consumption of 350 MB and a full CPU load for more than 2 hours.

  2. BPEL State Invalidation
    A second subtype of this attack uses correct correlation properties, but targets a receive activity that is not enabled in the actual state of the instance’s process execution.These messages are not correlation-invalid but state-invalid. Their impact instead is the same: resource exhaustion on the BPEL engine’s processing resources, leading to a reduced quality of service or even a loss of availability.

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker knows metadata for web service such as WSDL file.
  3. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.

Graphic representation of attack

No attack schema available

Attack example

No attack example available/necessary.

Attack mitigation / countermeasures

To mitigate state deviation attacks, it is necessary to identify and reject correlation-invalid and state-invalid messages, using as few computational resources as possible. Note that the identification of state deviation attack messages differs widely for these two message types.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

Categorisation by number of involved parties

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009. - [1]