How to take steps to prevent XML signature wrapping or re-writing

Hands typing on virtual keyboard

Security is one of the key concerns that is often expressed about the cloud, which is preventing many customers from move their IT assets over to it. They are particularly wary of the public cloud when it comes to hosting and storing sensitive data, but in most respects the cloud is safe.

This doesn’t mean that cloud doesn’t have its weaknesses. It does, and one was demonstrated by last year's attack from the Horst Goertz Institute of the Ruhr-University Bochum.

Experts at the institute showed that it was possible to hijack some live dummy Amazon Web Services (AWS) accounts using XML signature wrapping (which is also known as re-writing) and they took advantage of some cross-site XSS scripting vulnerabilities.

So how did they go about testing for this flaw? Well they specifically set up some live dummy accounts as part of the demonstration. This is because to access the cloud there has to be an interface between the servers and the customers who use things like websites to all kinds of access data – including transactional details like an individual’s purchasing history of their Christmas shopping on Amazon.

Involving two interfaces

Juraj Somorowsky, a scientific researcher at the institute, says they focused on two interfaces: the first occurs when a user logs into a website, and the second is the Simple Object Access Protocol (SOAP) and another one called REST or Representational State Transfer. “The users communicate with SOAP interfaces using XML-based SOAP messages, and these are secured with XML signatures”, he explains. In other words they help to protect the authenticity and integrity of the exchanged data.

“This means that these messages can only be generated by authenticated users and they cannot be modified by any attackers, but it’s possible to apply the so-called XML signature wrapping attacks to these messages and inset arbitrary content”, he says. His team did this and then it executed by the Amazon cloud interface. The result is that the attacker gains full control over the user’s cloud.

He then explains that vulnerabilities also lie in wait for the web interfaces, which are traditional and bog standard websites. Cross-site scripting attacks were used on the AWS website interface. “By doing this we could place malicious content on the website and thereby get the user’s credentials – like passwords - from certificates and cookies”, he comments. This allows an attacker to gain complete control over the cloud, but after breaking the AWS security system the institute’s team informed Amazon about the issue and the company took action to fix this flaw. Somorovsky’s team tested the system again and verified that the vulnerabilities no long existed, but they could still affect other cloud providers.

Other cloud providers

"There are other cloud providers that could be affected by signature wrapping attacks, and the problem arises with Single Sign-on systems that are XML-based and those based on the security assertion mark-up language (SAML) as they are just as vulnerable to attack", he reveals. SOAP interfaces are also used in Eucalyptus cloud computing software, and the team found that they could attack this particular cloud too. So Somorovsky and his colleagues are working with cloud providers to avert these attacks, and this is important because he claims that 80-90 percent of all systems are vulnerable to signature wrapping attacks, but for various reasons they aren’t adequately considered by developers.

Yet since the publication of his team’s report, All Your Clouds Belong to US – Security Analysis of Cloud Management Interfaces, he says that developers have begun to do their utmost to find these security flaws in their systems. This has become possible because they are now more aware of the attacks. He would nevertheless like to show legitimate developers how to handle them. This is because they aren’t easy to manage. There is a need for more developer training too, and the development of best practices to prevent signature wrapping and cross-site scripting attacks.

Prevention costs less

Prevention is not better than seeking a cure, but it can also be less costly. In March 2011 the Ponemon Institute said that the cost of data breaches had risen for the third consecutive year. In the UK during 2010 the average cost of this was £1.9m or £71 per record, which represents an increase of 13 percent over 2009, and an 18 percent increase over 2008.

Mark Skilton, Global Director of Cloud Computing at Cap Gemini’s Commercial Service Office, cites a Symantec report which adds that the incident size involved between 6,900 and 72,000 records. The cost of the breach ranged from £36,000 to £6.2m. It was also revealed that the most expensive incident’s costs increased by £2.3m compared to 2009.

Skilton stresses that the Horst Goertz Institute’s report is “not saying that public clouds are not a viable option because of the AWS incident as it just means that the management and use of security standards need to evolve.” In his view there is a need for tougher ‘trust policy management’ and a “range of measures is required to improve end point protection.”

He adds that the test confirmed what has been known for some time about web services security and also about P.509 PKI public keys, and says the International Standards Organisation (ISO) and other standards bodies are “working on a number of web services extension to account for cloud computing usage - such as ISO JTC38.”

Tips for preventing the attacks

So what do they advise in order to prevent XML signature wrapping and cross-site scripting attacks? The following will help your own organisation to keep its cloud-based systems secure:

  1. Follow the Open Web Application Security Project (OWASP) guidelines;
  2. Use strict XSS filtering of the input validation;
  3. Consider XML signature wrapping attacks to create some guidelines to help your organisation to mitigate these attacks;
  4. Educate developers to allow them to learn how to manage and prevent these attacks from happening;
  5. Implement standards for stronger scripting in the web service;
  6. Have a strict receiver side security policy;
  7. Define a sender side specification of the security policy;
  8. Improve quality control of the certification;
  9. Review ‘Trust Domain’ policy;
  10. Considering the usage of non-SOAP protocols like REST.

There are a range of reports available that provide further information about these kinds of attacks and how to deal with them. For example, Skilton recommends one by Ralph Holz et al. It is entitled ‘The SSL Landscape – a Thorough Analysis of the X.509 PKI Using Acting and Passive Measurements”. It talks about, amongst other things, how PKI certification process is not conducted with enough rigour.

It’s also worth checking out Amazon’s website, which illustrates the point about AWS accounts as it provides information about their security credentials. The company says that X.509 certificates should be used to make sure that SOAP protocol requests to AWS service APIs. It mentions other protocols too, like REST or Query that need to be considered.

By thinking about them, and by putting measures in place, it will be possible to avoid any calamities like the one that was faced by HSBC. According to Market Watch, the company was fined $5.2m over lost customer data.

Skilton thinks that the cost of this kind of breach is likely to keep rising, and so developers need to be more alert than they might otherwise have been to XML signature wrapping and cross-site XSS scripting attacks in order to keep ahead of the cloud hijackers.

By being proactive they will make the cloud more attractive to potential cloud customers and improve the cloud’s image. This can only be good for cloud providers like Amazon as it will stimulate business.