Press release BoxID: 459529 (Deny All)
  • Deny All
  • Ziegelhofweg 11
  • 67227 Frankenthal
  • Contact person
  • Janina Rogge
  • +49 (8152) 999840

XML Encryption broken

Security Research Advisory

(PresseBox) (Frankenthal, ) On October 19, a technique to break XML encryption was presented at the CCS Conference in Chicago. This technique exposes any XML data encrypted via WS-Security to full disclosure. As a consequence it is to be considered as one of the most critical attack ever found against Web Services.

Attack description

The attack intends to brute force encrypted data per block, exploiting several properties of the CBC (Cipher-Block Chaining) operation mode used to encrypt data. 14 requests are necessary to decrypt each byte of data, making the attack very verbose.

The operation is similar to blind attacks techniques and successful exploitation relies on error messages sent by the server in specific circumstances.

These error messages are sent through the standard SOAP fault mechanism. This mechanism sends out two XML elements : and . The latest is exploited in the attack in the case the servers sends back the element below:

WSDoAllReceiver: security processing failed


rWeb 4.0 can natively mitigate the attack by stripping out the and elements in the outgoing traffic, from the Canonization & Transformation panel of XML Security policies.

In rWeb 3.x UBT must be used to prevent multiple accesses to the same Web Service from a single source in a short amount of time.

Deny All

The Deny All Research Center (DARC) is an internal division of Deny All, which focuses on threat analysis and mitigation. Over the last 10 years, this department's research has contributed to the design of state-of-the art Web application security solutions. More information on Deny All can be found at