Abstract
Denial-of-Service (DoS) attacks aim to affect availability of applications. They can be executed using several techniques. Most of them are based upon a huge computing power that is used to send a large amount of messages to attacked applications, e.g. web service. Web service apply parsing technologies to process incoming XML messages. This enlarges the amount of attack vectors since attackers get new possibilities to abuse specific parser features and complex parsing techniques. Therefore, web service applications apply various countermeasures, including message length or XML element restrictions. These countermeasures make validations of web service robustness against dos attacks complex and error prone.
In this paper, we present a novel adaptive and intelligent approach for testing web services. Our algorithm systematically increases the attack strength and evaluates its impact on a given web serice, using a blackbox approach based on server response times. This allows one to automatically detect message size limits or element count restrictions. We prove the practicability of our approach by implementing a new WS-attacker plugin and detecting new DoS vulnerabilities in widely used web service implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Our implementation in the WS-Attacker framework is split into two parts: (1) a generic library to apply DoS attacks on XML and (2) a plugin that is used to transmit SOAP messages.
- 2.
- 3.
Its current implementation includes Coercive Parsing, XML Attribute Count, XML Element Count, XML Entity Expansion, XML External Entity, XML Overlong Names, and 4 variants of HashCollision attacks – 10 attack variants in total.
- 4.
Areas in the XML document, where additional elements or attributes can be placed according to the schema definition. Identified by <xs:any> and <xs:anyAttribute> in the XML Schema.
- 5.
This value was chosen empirically based on our tests in local networks.
- 6.
Here an attack is marked as successful even though is is not.
- 7.
- 8.
References
Axway: Axway SOA gateway. https://www.axway.com/products-solutions/soa-governance/soa-gateway
Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (xml) 1.0) (5th edn.), November 2008. http://www.w3.org/TR/REC-xml/
Mainka, C.: Automatic Penetration Test Tool for Detection of XML Signature Wrapping Attacks in Web Services, Master thesis supervised by Jörg Schwenk and Juraj Somorovsky, May 2012
Falkenberg, A., Mainka, C., Somorovsky, J., Schwenk, J.: A new approach towards DoS penetration testing on web services. In: IEEE 20th International Conference on Web Services (ICWS), 2013, pp. 491–498. IEEE (2013). http://dblp.uni-trier.de/db/conf/icws/icws2013.html#FalkenbergMSS13
Fielding, R.T., Taylor, R.N.: Principled design of the modern web architecture. ACM Trans. Internet Technol. 2(2), 115–150 (2002). http://doi.acm.org/10.1145/514183.514185
IBM: websphere datapower integration appliance xi50. https://www-03.ibm.com/software/products/en/datapower-xi50
Kupser, D., Mainka, C., Somorovsky, J., Schwenk, J.: How to break XML encryption – automatically. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C., August 2015. https://www.usenix.org/conference/woot15/workshop-program/presentation/kupser
Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web services security. In: SERVICES Workshop on Security and Privacy Engineering, June 2012
McCabe, F., Booth, D., Ferris, C., Orchard, D., Champion, M., Newcomer, E., Haas, H.: Web services architecture. W3C note, W3C, February 2004. http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/
Microsoft: .net framework. https://msdn.microsoft.com/en-us/library/a4t23ktk(v=vs.80).aspx
Pellegrino, G., Balzarotti, D., Winter, S., Suri, N.: In the compression hornet’s nest: A security study of data compression in network services. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 801–816. USENIX Association, Washington, D.C., August 2015. http://blogs.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino
Sperberg-McQueen, C.M., Thompson, H.S., Maloney, M., Thompson, H.S., Beech, D., Mendelsohn, N., Gao, S.S.: W3C XML schema definition language (XSD) 1.1 part 1: Structures. Last call WD, W3C, December 2009. http://www.w3.org/TR/2009/WD-xmlschema11-1-20091203/
The Apache Software Foundation: Apache axis2. https://axis.apache.org/axis2/java/core/
The Apache Software Foundation: Apache CXF - index. https://cxf.apache.org/
The GlassFish community: Metro. https://cxf.apache.org/
The PHP Group: Php: Hypertext preprocessor. https://php.net
Vieira, M., Laranjeiro, N., Oliveira, R.A.: Experimental Evaluation of Web Service Frameworks in the Presence of Security Attacks, June 2012
Wälde, J., Klink, A.: Hash Collision DOS Attacks. 28C3, December 2011. http://www.nruns.com/_downloads/advisory28122011.pdf
Acknowledgements
We would like to thank our anonymous reviewers for their helpful comments. The research was supported by the German Ministry of research and Education (BMBF) as part of the VERTRAG research project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Altmeier, C., Mainka, C., Somorovsky, J., Schwenk, J. (2016). AdIDoS – Adaptive and Intelligent Fully-Automatic Detection of Denial-of-Service Weaknesses in Web Services. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management, and Security Assurance. DPM QASA 2015 2015. Lecture Notes in Computer Science(), vol 9481. Springer, Cham. https://doi.org/10.1007/978-3-319-29883-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-29883-2_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29882-5
Online ISBN: 978-3-319-29883-2
eBook Packages: Computer ScienceComputer Science (R0)