OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 389: Detection of Duplicate IDs

One of the goals for SOAP processing is to allow processing without schema 
validation. Processing of ID attributes and ID references requires 
knowledge of which attributes are of ID type. Different processing 
components/layers may be aware of different subsets of ID attributes. For 
example the WSS processing component would likely know that:
        wsu:Id is a global ID,
        ID is a local ID in the context of XML Signature and XML 
Encryption elements,
        AssertionID is a local ID in the context of Security Tokens based 
on SAML 1.1 Assertions,
        ID is a local ID in the context of Security Tokens based on SAML 
2.0 Assertions.
Other header or application processing components may be aware of other ID 
attributes.

Even when processing components are aware of and expected to treat certain 
attributes as IDs, they may not use XML Schema validation to do so. This 
might unintentionally allow duplicate ID values to go undetected.

Following a some simple examples which illustrate problems that may occur 
due to inconsistent processing of ID attributes by different layers:

In the following message the originator/signer created a SOAP Body 
containing "Goodbye". An adversary intercepted the message and moved the 
signed content and replaced it. Since the wsse:Security header processing 
scans the message in order, the first instance of an ID attribute with the 
value "theBody" is used. However the application bases its processing on 
the actual SOAP Body.

<soap:Envelope>
   <soap:Header>
      <wsse:Security>
         <ds:Signature>
            references "#theBody"
         </ds:Signature>
      </wsse:Security>
      <soap:Body wsu:Id="theBody">Goodbye</soap:Body>
   </soap:Header>
   <soap:Body wsu:Id="theBody">Hello</soap:Body>
</soap:Envelope>

In the following message the originator/signer created a SOAP Body 
containing IDREFs to elements in the soap:Header. An adversary intercepted 
the message and added an element with a duplicate ID value. Since the 
wsse:Security header processing scans the message in order, the first 
instance of an ID attribute with the value "theDestinationAccount" is 
used. However, since the soap:Body processing scans the message in reverse 
order, the second ID is used.

<soap:Envelope>
   <soap:Header>
      <wsse:Security>
         <ds:Signature>
            references "#thebody", "#theOriginAccount", and 
"#theDestinationAccount"
         </ds:Signature>
      </wsse:Security>
      <accountInfo wsu:Id="theOriginAccount">
         <bankId>Bank Of America</bankId>
         <number>123456</number>
         <pin>7890</pin>
      </accountInfo>
      <accountInfo wsu:Id="theDestinationAccount">
         <bankId>Bank Of New York</bankId>
         <number>654321</number>
         <pin>0987</pin>
      </accountInfo> 
      <accountInfo wsu:Id="theDestinationAccount">
         <bankId>BANK OF NIGERIA</bankId>
         <number>666666</number>
         <pin>6666</pin>
      </accountInfo>
   </soap:Header>
   <soap:Body wsu:Id="theBody">
      <fundTransfer amount="1000000.00" units="USD">
         <originAccount idref="#theOriginAccount"/>
         <destinationAccount idref="#theDestinationAccount"/>
      </fundTransfer>
   </soap:Body>
</soap:Envelope>

The problems described in the above messages can be avoided by having the 
wsee:Security processing check for duplicate ID values for the ID 
attribute that it is aware of. However, the following alternate form of 
the second message relies on the fact that the wsse:Security processing 
does not know about "myID" and the SOAP Body processing treats myID with 
higher priority than wsu:Id.

<soap:Envelope>
   <soap:Header>
      <wsse:Security>
         <ds:Signature>
            references "#thebody", "#theOriginAccount", and 
"#theDestinationAccount"
         </ds:Signature>
      </wsse:Security>
      <accountInfo wsu:Id="theOriginAccount">
         <bankId>Bank Of America</bankId>
         <number>123456</number>
         <pin>7890</pin>
      </accountInfo>
      <accountInfo wsu:Id="theDestinationAccount">
         <bankId>Bank Of New York</bankId>
         <number>654321</number>
         <pin>0987</pin>
      </accountInfo> 
      <accountInfo myID="theDestinationAccount">
         <bankId>BANK OF NIGERIA</bankId>
         <number>666666</number>
         <pin>6666</pin>
      </accountInfo>
   </soap:Header>
   <soap:Body wsu:Id="theBody">
      <fundTransfer amount="1000000.00" units="USD">
         <originAccount idref="#theOriginAccount"/>
         <destinationAccount idref="#theDestinationAccount"/>
      </fundTransfer>
   </soap:Body>
</soap:Envelope>

I propose that we add the following requirements to the core:

The wsse:Security processing SHOULD check for duplicate ID values from 
among the set of ID attributes that it is aware of. 
The wsse:Security processing SHOULD generate a fault if a duplicate ID 
value is detected.

Question: Are we going to add support for xml:id 
(http://www.w3.org/TR/xml-id/) to Section 4?

Thanks,
Mike

Michael McIntosh
Web Services Security Group
Security, Networking, and Privacy Department
IBM Research

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]