Attack description

Coercive Parsing is one of the simplest attacks to mount! It aims at exhausting the system resources of the attacked web service. The attacker just sends a SOAP message with an unlimited amount of opening tags in the SOAP Body. In other words: The attacker sends a very deeply nested XML document to the attacked web service.

Test on AXIS 2 web services showed that the attack results in a CPU usage of 100% while the SOAP message is processed. When using a socket on the attacker side the attack can last for as long as a connection between the attacker and the victim exists. All the attacker has to do is "pump" opening tags in the socket for as long as he wishes to disable the web service.

This attack is one of the more devastating denial of service attacks, however countermeasures are available.

NOTE: Only web services using a DOM parser are susceptible to this attack. The DOM Parser creates an in-memory representation of the SOAP message. During this process the SOAP message size can raise by a factor of 2 to 30. When very large documents are processed memory exhaustion is often the result. When using a streaming based parser like SAX it is very unlikely for the attack to succeed, since the entire document is never loaded in memory.[1]

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following things:

1. Attacker knows the endpoint of web service. WSDL is not required, since the attack is solely focused on the XML Parser. It doesn't matter if the Operations within the SOAP Message are valid.
2. Attacker can reach the endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

• Red = attacked web service component
  
• Black = location of attacker
  
• Blue = web service component not directly involved in attack.
  

Attack example

The following SOAP message shows an example with a "Coercive Parsing Attack" payload.

<soapenv:Envelope xmlns:soapenv="..." xmlns: soapenc:"...">
<soapenv:Body>
 <x>
    <x>
       <x>  
          <x>
             <x>
                 <!-- Continued for as long as wanted by the attacker -->

Listing 1: "Coercive Parsing Attack" payload.

Attack mitigation / countermeasures

The "Coercive Parsing" attack can be fully stopped when using strict schema validation. Each WSDL should contain a detailed description of the used elements, attributes, and data types. For example when only one Element <Surname> is expected within the SOAP body the XML Schema should contain the following elements:

..
<!-- excerpt fictional XML Schema -->
<xs:element name="Surname" type="xs:string"/>
..

Listing 2: Excerpt of a XML Schema for the tag "Surname"

By using the data type "string" only strings are allowed within the element tags. The injection of more tags within the <Surname> tag is not possible. Since the default maximum and minimum number of occurrences is 1, the element has to show up exactly one time in the SOAP body. If no other tags are defined within the XML Schema of the SOAP body, any other tag is prohibited by default too, making it impossible to mount the attack. Therefore any SOAP message that violates this schema is rejected.

For a more detailed tutorial on how to create strict XML schemas refer to [2].

It is understood that a strict schema validation is resource intensive, however one should be clear how easy it is to compromise the availability of a web service when turning off schema validation.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

• Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
• Category:Attack_Categorisation_By_Violated_Security_Objective

Categorisation by number of involved parties

• Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
• Category:Attack_Categorisation_By_Number_Of_Involved_Parties

Categorisation by attacked component in web service architecture

• Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_XML_Parser
• Category:Attack_Categorisation_By_Attacked_Web_Service_Component

Categorisation by attack spreading

• Category:Attack_Categorisation_By_Attack_Spreading
• Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws

References

1. Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
2. Meiko Jensen, Lijun Liao, and J ̈rg Schwenk. The curse of namespaces in the domain of xml signature. Technical report, Horst G ̈rtz Institute for IT-Security, 44780 Bochum, Germany, 2009.
3. Nishchal Bhalla and Sahba Kazerooni. Web services vulnerabilities. http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, February 2007. Accessed 01 July 2010.
4. Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop- SOA Security, Juni 2009.
5. N/A. Protecting enterprise, saas & cloud based applications – a comprehensive threat model for rest, soa and web 2.0. Technical report, Intel Corporation, 2009.
6. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis,Hochschule für Angewandte Wissenschaften Hamburg, 2008.