- Jumbo payloads — Sending a very large XML message to exhaust memory and CPU on the target system.
- Recursive elements — XML messages that can be used to force recursive entity expansion (or other repeated processing) to exhaust server resources. An example of this type of attack would be the billion laughs attack that is widely available through the Internet.
- MegaTags — Otherwise valid XML messages containing excessively long element names, or an excessive number of tags. This attack may also lead to buffer overruns.
- Coercive parsing — XML messages specially constructed to be difficult to parse to consume the resources of the machine.
- Public key DoS — Utilizing the asymmetric nature of public key operations to force resource exhaustion on the recipient by transmitting a message with a large number of long-key-length, computationally expensive digital signatures.
- XML flood — Sending thousands of otherwise benign messages per second to tie up a Web service. This attack can be combined with Replay attack to bypass authentication, and with Single message XDoS to increase its impact.
- Resource hijack — Sending messages that lock or reserve resources on the target server as part of a never-completed transaction.
- Dictionary attack — Guessing the password of a valid user using a brute force search through dictionary words.
- Falsified message — Faking that a message is from a valid user, such as by using Man in the Middle to gain a valid message, and then modifying it to send a different message.
- Replay attack — Re-sending a previously valid message for malicious effect, possibly where only parts of the message (such as the security token) are replayed.
Data integrity/Confidentiality
- Message tampering — Modifying parts of a request or response in-flight; most dangerous when undetected (less commonly known as Message alteration).
- Data tampering — Exploiting weakness in the access control mechanism that permits the attacker to make unauthorized calls to the Web service to alter data.
- Message snooping — A direct attack on data privacy by examining all or part of the content of a message. This can happen to messages being transmitted in the clear, transmitted encrypted but stored in the clear, or decryption of messages due to stolen key or cryptoanalysis.
- XPath/XSLT injection — Injection of expressions into the application logic. Newer modifications include Blind XPath injection, which reduces the knowledge required to mount the attack.
- SQL injection — Inserting SQL in XML to obtain additional data than what the service was designed to return.
- WSDL enumeration — Examining the services listed in WSDL to guess and gain access to unlisted services.
- Message snooping — Using SOAP routing header for access to internal Web services.
- Malicious include — Causing a Web service to include invalid external data in output or return privileged files from the server file system. For example, using embedded file: URLs to return UNIX password files or other privileged data to the attacker.
- Memory space breach — Accomplished via stack overflow, buffer overrun, or heap error, enables execution of arbitrary code supplied by the attacker with the permissions of the host process.
- XML encapsulation — Embedding system command in the XML payload, such as through the CDATA tag.
- XML virus (X-Virus) — Using SOAP with attachments or other attachment mechanisms to transmit malicious executables, such as viruses or worms.
Thys Michels Blog 