Tuesday, May 12, 2015

How to attack XML Encryption in IBM Datapower (and other Web Services) with WS-Attacker


WS-Attacker is a penetration testing tool, whose aim is to test Web Service specific attacks. It provides attacks, which are far beyond typical Web attacks like SQL injection and XSS. For example, in last blog post, WS-Attacker and its XML Signature wrapping attacks were introduced: http://web-in-security.blogspot.de/2015/04/introduction-to-ws-attacker-xml.html

Today, we released a new version of our WS-Attacker framework: https://github.com/RUB-NDS/WS-Attacker

The new version includes some additional features and bug fixes. For example, WS-Attacker now allows you to define an HTTP/HTTPS proxy for forwarding the generated XML attack messages. This gives you the opportunity to send all the WS-Attacker messages through BurpSuite or OWASP ZAP, and analyze their content or resend them to the Web Service.

However, most importantly, the newest WS-Attacker version includes a plugin for automatic XML Encryption attacks. The plugin was implemented by our student Dennis Kupser.

In this blog post, I am going to show you how to use the plugin to attack an IBM Datapower Web Service and decrypt an encrypted content. Please note that these attacks are also applicable to other services as well.

Beliebte Posts