XML Rewriting Attacks: Existing Solutions and their Limitations

Azzedine Benameur 1 Faisal Abdul Kadir 2 Serge Fenet 3
1 SILEX - Supporting Interaction and Learning by Experience
LIRIS - Laboratoire d'InfoRmatique en Image et Systèmes d'information
3 R3AM - Rendu Réaliste pour la Réalité Augmentée Mobile
LIRIS - Laboratoire d'InfoRmatique en Image et Systèmes d'information
Abstract : Web Services are web-based applications made available for web users or remote Web-based programs. In order to promote interoperability, they publish their interfaces in the so-called WSDL file and allow remote call over the network. Although Web Services can be used in different ways, the industry standard is the Service Oriented Architecture Web Services that doesn't rely on the implementation details. In this architecture, communication is performed through XML-based messages called SOAP messages. However, those messages are prone to attacks that can lead to code injection, unauthorized accesses, identity theft, etc. This type of attacks, called XML Rewriting Attacks, are all based on unauthorized, yet possible, modifications of SOAP messages. We present in this paper an explanation of this kind of attack, review the existing solutions, and show their limitations. We also propose some ideas to secure SOAP messages, as well as implementation ideas.
Type de document :
Communication dans un congrès
IADIS Applied Computing 2008, Apr 2008, Algarve, Portugal. IADIS Press, pp.1-9, 2008
Liste complète des métadonnées

https://hal.archives-ouvertes.fr/hal-01500703
Contributeur : Équipe Gestionnaire Des Publications Si Liris <>
Soumis le : lundi 3 avril 2017 - 15:44:00
Dernière modification le : mercredi 31 octobre 2018 - 12:24:25

Identifiants

  • HAL Id : hal-01500703, version 1

Collections

Citation

Azzedine Benameur, Faisal Abdul Kadir, Serge Fenet. XML Rewriting Attacks: Existing Solutions and their Limitations. IADIS Applied Computing 2008, Apr 2008, Algarve, Portugal. IADIS Press, pp.1-9, 2008. 〈hal-01500703〉

Partager

Métriques

Consultations de la notice

150