Pe­ne­tra­ti­on Test Tool for XML-ba­sed Web Ser­vices

Chris­ti­an Main­ka, Vla­dis­lav Mla­de­nov, Juraj So­mo­rovs­ky, Jörg Schwenk

In­ter­na­tio­nal Sym­po­si­um on En­gi­nee­ring Se­cu­re Soft­ware and Sys­tems 2013

Ab­stract

XML is a plat­form-in­de­pen­dent data for­mat ap­p­lied in a vast num­ber of ap­p­li­ca­ti­ons. Star­ting with con­fi­gu­ra­ti­on files, up to of­fice docu- ments, web ap­p­li­ca­ti­ons and web ser­vices, this tech­no­lo­gy ad­op­ted nu- me­rous – most­ly com­plex – ex­ten­si­on spe­ci­fi­ca­ti­ons. As a con­se­quence, a com­ple­te­ly new at­tack sce­na­rio has rai­sed by abusing we­ak­nes­ses of XML-spe­ci­fic fea­tures. In the world of web ap­p­li­ca­ti­ons, the se­cu­ri­ty eva­lua­ti­on can be as­su­red by the use of dif­fe­rent pe­ne­tra­ti­on test tools. Ne­ver­the­l­ess, com­pa­red to pro­mi­nent at­tacks such as SQL-In­jec­tion or Cross-si­te script­ing (XSS), there is cur­rent­ly no pe­ne­tra­ti­on test tool that is ca­pa­ble of ana­ly­zing the se­cu­ri­ty of XML in­ter­faces. In this paper we mo­ti­va­te for de­ve­lop- ment of such a tool and de­scri­be the basic prin­ci­ples be­hind the first au­to­ma­ted pe­ne­tra­ti­on test tool for XML-ba­sed web ser­vices named WS-At­ta­cker.

Tags: Pen­test, Si­gna­tu­re Wrap­ping, Sin­gle Sign-On, XML-Se­cu­ri­ty