CAPEC-51: Poison Web Service Registry
SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.
Last updated
Overview
WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find a target SOA or Web Service] The adversary must first indentify a target SOA or Web Service.
- Step 2Experiment
[Determine desired outcome] Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.
- An adversary can perform a denial of service attack on a web service.
- An adversary can redirect requests or responses to a malicious service.
- Step 3Experiment
[Determine if a malicious service needs to be created] If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.
- Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.
- Create a service that will give malicious responses to a service provider.
- Act as a malicious service provider and respond to requests in an arbitrary way.
- Step 4Exploit
[Poison Web Service Registry] Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.
- Intercept and change WS-Adressing headers to route to a malicious service or service provider.
- Provide incorrect information in schema or metadata to cause a denial of service.
- Delete information about service procider interfaces to cause a denial of service.
What the attacker needs
Prerequisites
- The attacker must be able to write to resources or redirect access to the service registry.
Skills required
- Low skill: To identify and execute against an over-privileged system interface
Resources required
- Capability to directly or indirectly modify registry resources
Consequences
What a successful CAPEC-51 attack can achieve.
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-51.
- Design: Enforce principle of least privilege
- Design: Harden registry server and file access permissions
- Implementation: Implement communications to and from the registry using secure protocols
Examples
WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime. http://example.com/Message http://valid.example/validClient http://evilsite/evilClient http://validfaults.example/ErrorHandler In this example "evilsite" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault.
Frequently asked questions
Common questions about CAPEC-51.
- What is CAPEC-51?
- SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.
- How does a Poison Web Service Registry attack work?
- It typically unfolds over 4 phases. It begins with: [Find a target SOA or Web Service] The adversary must first indentify a target SOA or Web Service.
- How do you prevent CAPEC-51?
- Design: Enforce principle of least privilege
- What weaknesses does CAPEC-51 target?
- CAPEC-51 exploits 3 CWE weaknesses, including CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-285 (Improper Authorization), CWE-693 (Protection Mechanism Failure).
- How severe is CAPEC-51?
- MITRE rates CAPEC-51 as Very High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-51
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.