Article Preview
TopIntroduction
Service-Oriented Architecture (SOA) is a new paradigm for reorganizing or reusing old applications into web services. Web services are self-describing platform independent computational elements, which are accessible through standard interfaces. It can be assembled in complex compositions using standard messaging protocols (Rolland, 2010). In SOA environment, one has to integrate various web services and enable a secure conversation among them, to provide a better Business to Business (B2B) / Business to Business (B2C) application with agility. One of the ways of communication between web services is based on Extensible Markup Language (XML) message called Simple Object Access Protocol (SOAP) given in w3.org/TR/xpath20/. Web services make use of SOAP to tie heterogeneous business systems together. This provides an opportunity for organizations to create and deploy distributed applications without being concerned about the hardware platform, the operating system (OS), the programming language, or the network topology (Liu, 2008). Thus, SOAP provides platform and language neutrality.
The challenging part of system integration is SOAP message exchange in a secured and meaningful manner. These messages are very well prone to attacks leading to several issues such as unauthorized access and identity theft. These attacks are basically referred as XML rewriting attacks (Sinha 2008). Rewriting attacks are also called as wrapping attacks because it involves changing the content of the SOAP message without invalidating the signature (Gajek, 2009). Rewriting attacks are done by injecting a faked element inside the structure of the SOAP message so that a valid signature covers the unmodified element whereas faked one processes the application logic. The message is processed according to the path whereas the signature is validated according to the Message body ID. This method is called as Id referencing which creates a scope for the rewriting attacks. As a result, an attacker can easily perform an arbitrary web service request pretending as a legitimate user. The challenge is to provide a solution to rewriting attacks. (McIntosh, 2005) showed that the content of a SOAP message is protected by an XML Signature as specified in WS-Security which can be easily altered without invalidating the signature. The XML rewriting attack is possible because the referencing schemes used to locate parts of a SOAP message document differ between the signature verification function and the application logic (Gajek, 2009). Replay attack, redirection attack and multiple security header attack are the three types of attacks. (Sinha, 2008) lists out types of rewriting attacks their impact on SOAP messages.