How to take steps to prevent XML signature wrapping or re-writing

Graham Jarvis Advice
20 Feb, 2012

The attack on AWS last year revealed a few fears about cloud computing. How can such attacks be thwarted?

Security is one of the key concerns that is often expressed about the cloud, which is preventing many customers from move their IT assets over to it. They are particularly wary of the public cloud when it comes to hosting and storing sensitive data, but in most respects the cloud is safe.

This doesn’t mean that cloud doesn’t have its weaknesses. It does, and one was demonstrated by last year's attack from the Horst Goertz Institute of the Ruhr-University Bochum.

Experts at the institute showed that it was possible to hijack some live dummy Amazon Web Services (AWS) accounts using XML signature wrapping (which is also known as re-writing) and they took advantage of some cross-site XSS scripting vulnerabilities.

So how did they go about testing for this flaw? Well they specifically set up some live dummy accounts as part of the demonstration. This is because to access the cloud there has to be an interface between the servers and the customers who use things like websites to all kinds of access data – including transactional details like an individual’s purchasing history of their Christmas shopping on Amazon.

Involving two interfaces
Juraj Somorowsky, a scientific researcher at the institute, says they focused on two interfaces: the first occurs when a user logs into a website, and the second is the Simple Object Access Protocol (SOAP) and another one called REST or Representational State Transfer.  “The users communicate with SOAP interfaces using XML-based SOAP messages, and these are secured with XML signatures”, he explains. In other words they help to protect the authenticity and integrity of the exchanged data.

“This means that these messages can only be generated by authenticated users and they cannot be modified by any attackers, but it’s possible to apply the so-called XML signature wrapping attacks to these messages and inset arbitrary content”, he says. His team did this and then it executed by the Amazon cloud interface. The result is that the attacker gains full control over the user’s cloud.

He then explains that vulnerabilities also lie in wait for the web interfaces, which are traditional and bog standard websites. Cross-site scripting attacks were used on the AWS website interface. “By doing this we could place malicious content on the website and thereby get the user’s credentials – like passwords - from certificates and cookies”, he comments. This allows an attacker to gain complete control over the cloud, but after breaking the AWS security system the institute’s team informed Amazon about the issue and the company took action to fix this flaw. Somorovsky’s team tested the system again and verified that the vulnerabilities no long existed, but they could still affect other Virtual Cloudsviders.

Read more about:

Sign up for our free newsletter