Soap Array Attack
SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C .
However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability.
Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn't limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let's assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.
Easy countermeasures are available if one is aware of the attack.
There are no attack subtypes for this attack.
Prerequisites for attack
In order for this attack to work the attack has to have knowledge about the following things:
- Attacker knows endpoint of web service. WSDL is not required, since the attack is solely focused on the XML Parser. It doesn't matter if the Operations within the SOAP Message are valid.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, the attack is limited.
Graphical representation of attack
- Red box = attacked web service component
- Black box = attacker location
- blue box = other web service components not actively used in the attack
In our example we just take an arbitrary SOAP message with a string array in the SOAP message body. In this case the attacker declares a SOAP array with one million elements.
Siehe bachelor Seite 61
<soapenv:Envelope xmlns:soapenv="..." xmlns: soapenc:"..."> <soapenv:Body> <ns1:FunctionWithArrayInput xmlns:ns1="..."> <DataSet xsi:type="soapenc:Array" soapenc:arrayType="xsd:string"> <item xsi:type="xsd:string">Data1</item> <item xsi:type="xsd:string">Data2</item> <item xsi:type="xsd:string">Data3</item> </DataSet> </ns1:FunctionWithArrayInput> </soapenv:Body> </soapenv:Envelope>
Listing 1: SOAP Message with malicious Array in body
Attack mitigation / countermeasures
The attack can be stopped by using strict schema validation. In most cases the maximum number of array elements is known. Lets make an example. We assume that only 10 elements are allowed, not more. In this case an appropriate schema could look like this:
<!-- start excerpt .. --> <simpleType name="phoneNumber" base="string"/> <element name="ArrayOfPhoneNumbers"> <complexType base="SOAP-ENC:Array"> <element name="phoneNumber" type="tns:phoneNumber" maxOccurs="10"/> </complexType> <anyAttribute/> </element> <!-- end excerpt... -->
Listing 2: Excerpt fixed XML Schema
An excerpt of a valid SOAP message could look like this:
<!-- start excerpt .. --> <xyz:ArrayOfPhoneNumbers SOAP-ENC:arrayType="xyz:phoneNumber"> <phoneNumber>206-555-1212</phoneNumber> <phoneNumber>1-888-123-4567</phoneNumber> </xyz:ArrayOfPhoneNumbers> <!-- end excerpt... -->
Listing 3: Excerpt of a valid SOAP message
If we cannot limit the number of maximal elements per default, another solution has to be found. In this case it is best to compare the number of declared elements in the "soapenv_arrayType" attribute with number of actual existing array elements. In case they don't match, the SOAP message is discarded. This feature has to be implemented by hand by the web service developer.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
- Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop - SOA Security, Juni 2009.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.