Web|xml| Attack Matt Powell
Microsoft Corporation
September 5, 2001
Brief Introduction
In the process of talking to developers about the future of XML Web services, we learned that one of their biggest concerns was that the fear of weaknesses in the software might make the service vulnerable to malicious users. This can be said to be both bad news and good news. It is bad news because attacks can lead to limited availability of services, private data leaks and, worse, control of the computer into the hands of these malicious users. It's good news because you can get some real protection to reduce the risk of these attacks. We will describe the types of attacks that have occurred and how you can protect your efforts in the areas of deployment, design, and development. The first column in this topic will focus on the issues that should be considered during deployment, and the next column will cover design and development issues that need to be noticed when developing XML Web services.
type of attack
To find out where the risk is and how to avoid it, the first step should be to understand the type of attack that the service might suffer. Once you understand the types of problems you may encounter, you can take appropriate steps to mitigate the risks associated with these problems.
Attacks can usually be grouped into three broad categories:
- Deceive
- Exploit errors
- Denial of Service
Deceive
On a system that requires authentication, one of the most common hacker attacks is to work out a user's authentication certificate, log in to that user, and then access the user's information. This is bad, but the risk is greater if the compromised certificate belongs to a system administrator or someone else with higher privileges. Because, in this case, the attack may not be limited to disclosing the data of a single user, but also the possibility of leaking all user data.
Hackers may use several methods to determine a user's password. For example, try words that make sense to the user, such as the user's name, his or her pet's name, or his or her birthday. More persistent hackers will even try every word in the dictionary (dictionary attack). Other ways to obtain certificate information include: Capturing network packets and reading the information in the sent data; by DNS spoofing, inserting a malicious computer as an intermediary between the client and the server; pretending to be a system administrator, requiring the user to give his or her certificate on the basis of troubleshooting; or to record a logon handshake with the server , and then repeat the process to try to authenticate.
You can mitigate most of the risks posed by spoofing by taking measures such as enforcing a stronger password and using secure authentication mechanisms.
Exploit errors
One of the key factors determining system vulnerabilities is the quality of code running on that system. System errors are not limited to causing a particular thread to appear unexpectedly. Hackers can exploit these vulnerabilities to execute their own code on the system, access resources with higher privileges, or exploit resource vulnerabilities (caused by errors) that could potentially cause the system to slow down or become unavailable. One of the best-known examples of this attack is the Red Code worm, which exploits the error in the Index Server ISAPI extension, executes the code it chooses on the infected system, and then continues to look for other vulnerable computers.
Another common attack is the error of using the validity assumptions of the input data. For example, an XML Web Service expects a user name to enter as a parameter. If you assume that a user name contains only an ASCII string, and therefore puts it directly into your SQL query, you may have a serious weakness in your service. For example, suppose you have a SQL query in your code, as follows:
SQLQuery = "SELECT * from Users WHERE (username= '" & Usernameinput & ")
If the Usernameinput parameter contains exactly the contents shown below
Bob ') or not (username= ' 0
Then your service may return all records, not just a specific user's record.
Denial of Service
The purpose of a denial of service attack is not to break into a site, or to change its data, but to make the site unable to serve legitimate requests. The Red code worm not only infects computers, it then looks for and infects other computers, and it sends a large number of packets to the official White House Web site by infected computers. Because thousands of of computers are infected, the number of requests to the White House Web site is extremely high. Because the red Code worm causes requests from a large number of computers, it is considered a "distributed denial of service attack". With so many computers involved, this attack is extremely difficult to limit.
A denial of service request can take many forms, because pseudo requests can be sent over multiple levels to attack your system. For example, your site might allow users to PING your IP address so that ICMP messages are sent to your server and then returned. This is an effective way to troubleshoot connection failures. However, if hundreds of computers send thousands of packets to your server at the same time, you will find that your computer is busy processing PING requests and cannot get CPU time to handle other normal requests.
A slightly higher level is the SYN attack, which requires the writing of a low-level network program that looks like the first packet (SYN packet) in the TCP connection handshake. This attack is more damaging than a ping request attack because you can ignore it if necessary for a ping request, but for a SYN attack, whenever an application listens on a TCP port (such as a WEB server), you will need to spend resources whenever you receive a seemingly valid connection request.
The highest level of denial of service attacks can render a form of sending multiple, essentially valid SOAP requests to the XML Web service, which causes the database to begin the lookup operation. The database lookup may take a long time. Therefore, if thousands of such requests are sent to the server every second, the WEB server and back-end database server that receives the request becomes very busy. Also, this will make your service unable to process other requests in a timely manner.
If you have code that contains errors on your computer, it is easier to deny a service attack. For example, if a Web service is put into use, there is an error: when a particular type of error occurs, a message box is displayed that the hacker can use to send a relatively small number of requests to your computer so that the message box is displayed. This locks all thread processing requests and therefore effectively prevents others from accessing your service.
