Database Reference
In-Depth Information
3. In a new session opened in parallel, an attacker sends the server's challenge from
the first session (still opened).
4. Naturally, the server understands the second session as new and responds with a
new encrypted challenge.
5. The attacker uses the server's response from the second session as its own re-
sponse for the initial session. With a nonzero probability, the server will accept its
own response from the second session as a valid handshake and open the connec-
tion.
Identity spoofing
The attack code for identity spoofing is
AT02
.
The identity associated with the message or resource must be removable or modifiable in
an undetectable way for the attacker to perform this attack.
For example, after authentication, the valid REST service user will have their token as a
part of the URL query string for an extended session. Resource access permission is valid-
ated using this token. The user with less privileges from the parallel valid session will ob-
tain this query string (man-in-the-middle,
https://www.owasp.org/index.php/Man-in-the-
middle_attack
and eavesdropping,
https://www.owasp.org/index.php/Net-
work_Eavesdropping
and modify the session using the obtained token (or user ID if it is
open). They will have time until the session expires to illegally access the resources.
In the query string, the entire static section of it must be signed. The signed digest can be
in the HTTP header and enforced by a contracts policy (in the security gateway). In the
case of SOAP messages, WS-Security elements for the digital signature and encryption
must be applied.
Replay attack
The attack code for the replay attack is
AT03
.
As we demonstrated earlier, replay attack is the attacker's bread and butter. Having con-
structed using your XSD or intercepted message, the attacker modifies the time range in
the message (if applicable), and the sequence numbers (if necessary), and resends it,
sometimes stripping the signatures (if the policy allows).
This attack has many variations and is not always intended to be successful at the very be-
ginning; gathering response info is the initial target, including session data (as almost any
Search WWH ::
Custom Search