| Name |
Utilizing REST's Trust in the System Resource to Obtain Sensitive Data |
|
| Likelyhood of attack |
Typical severity |
| Medium |
Very High |
|
| Summary |
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme. |
| Prerequisites |
Opportunity to intercept must exist beyond the point where SSL is terminated. The attacker must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path. |
| Solutions | Implementation: Implement message level security such as HMAC in the HTTP communication Design: Utilize defense in depth, do not rely on a single security mechanism like SSL Design: Enforce principle of least privilege |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-287 |
Improper Authentication |
| CWE-300 |
Channel Accessible by Non-Endpoint |
| CWE-693 |
Protection Mechanism Failure |
| CWE-724 |
OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-157 |
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Man-In-The-Middle attacks (CAPEC-94), but are entirely passive. MITM attacks are predominantly active and often alter the content of the communications themselves. |
|