ByteOS Network

CAPEC-51:Poison Web Service Registry

Attack Pattern ID:51

Version:v3.9

Attack Pattern Name:Poison Web Service Registry

Abstraction:Detailed

Status:Draft

Likelihood of Attack:High

Typical Severity:Very High

Details Content History Related Weaknesses Reports

▼Description

SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.

▼Extended Description

WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	203	Manipulate Registry Information

Nature: ChildOf

Type: Standard

ID: 203

Name: Manipulate Registry Information

▼Execution Flow

Explore

Find a target SOA or Web Service

The adversary must first indentify a target SOA or Web Service.

Experiment

Determine desired outcome

Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.

Technique
An adversary can perform a denial of service attack on a web service.
An adversary can redirect requests or responses to a malicious service.

Determine if a malicious service needs to be created

If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.

Technique
Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.
Create a service that will give malicious responses to a service provider.
Act as a malicious service provider and respond to requests in an arbitrary way.

Exploit

Poison Web Service Registry

Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.

Technique
Intercept and change WS-Adressing headers to route to a malicious service or service provider.
Provide incorrect information in schema or metadata to cause a denial of service.
Delete information about service procider interfaces to cause a denial of service.

▼Prerequisites

The attacker must be able to write to resources or redirect access to the service registry.

▼Skills Required

Low

To identify and execute against an over-privileged system interface

▼Resources Required

Capability to directly or indirectly modify registry resources

▼Consequences

Scope	Likelihood	Impact	Note
ConfidentialityIntegrityAvailability	N/A	Execute Unauthorized Commands	Run Arbitrary Code
Confidentiality	N/A	Read Data	N/A
Integrity	N/A	Modify Data	N/A

Scope: Confidentiality, Integrity, Availability

Likelihood: N/A

Impact: Execute Unauthorized Commands

Note: Run Arbitrary Code

Scope: Confidentiality

Likelihood: N/A

Impact: Read Data

Note: N/A

Scope: Integrity

Likelihood: N/A

Impact: Modify Data

Note: N/A

▼Mitigations

Design: Enforce principle of least privilege

Design: Harden registry server and file access permissions

Implementation: Implement communications to and from the registry using secure protocols

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-285	Improper Authorization
CWE-693	Protection Mechanism Failure
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ID: CWE-285

Name: Improper Authorization

ID: CWE-693

Name: Protection Mechanism Failure

ID: CWE-74

Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')