OWASP WS Amplification DoS Project

From OWASP
Jump to: navigation, search


OWASP Inactive Banner.jpg

Contents

Main

Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to investigate web service frameworks and develop tools to test this vulnerability and determine the threat magnitude on a global scale.


Ideas, development and all other contributions are more than welcome. This page will be updated with the current progress and to-do's. Feel free to contact the project leader for any questions.

Attack scenario

In the image below, the possible attack scenario is depicted. Very similar to the DNS amplification attack, the attacker commands a botnet to access a third party, here, a webservice. The request to the webservice contains a WS-Addressing header that specifies the victim's address as the ReplyTo or FaultTo address. The webservice replies to this address with a message that is potentially larger in size than the original request, effectively amplifying the attack. 800

Vulnerability investigation

To determine the magnitude of this vulnerability, the project works on two paths:

  • Development of a tool that can test public webservices and determine their number and amplification factor
  • Look into the different webservice frameworks (Axis, CXF, .NET, ...) and find out their WS-Addressing behaviour.

Tool to determine threat magnitude

The tool contains 3 parts:

  • Webservice crawler (WSA_spoof.py)
    • Finds webservices and their corresponding WSDLs
  • Webservice client generator (WSA_spoof.py)
    • Generates a client from the WSDL and sends an empty request with a WS-Addressing header, with a ReplyTo that points to the Google App
  • Public reply logger (GoogleApp_code.py - Google App)
    • Public reachable web application that listens to incoming requests and logs them.

In the image below, the last two parts are displayed. Development of these has started as a draft here.

800

Main TO-DO list

  • In order to properly research this threat, we need to crawl or find public accessible webservices. The former big UDDI registers have all been shut down.
    • Currently, a 'simple' Google search is used to track down public webservices.
  • Further develop the tool.
    • A draft of the spoofing and Google App is made in Python. Can be found here.

WS-Addressing default behaviours

In order to get a grasp of the magnitude of this threat, it is also necessary to be aware of the default behaviour and settings in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.

Axis2

Axis2 enables WS-Addressing by default, as stated here

CXF

CXF supports WS-Addressing, but explicit configuration is required to enable it.

JAX-WS & Metro

Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "

.NET Framework

.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear.

Main TO-DO list

  • More information about .NET/WCF is needed.
  • Specifically test a Metro webservice with a random wsa:Action header.

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP WS Amplification DoS Project (home page)
Purpose: The project aims to explore the threat of an Amplification DoS attack that utilises webservices.

Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow.

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases