XML Encryption broken

Security Research Advisory

Frankenthal, (PresseBox) - On October 19, a technique to break XML encryption was presented at the CCS Conference in Chicago. This technique exposes any XML data encrypted via WS-Security to full disclosure. As a consequence it is to be considered as one of the most critical attack ever found against Web Services.

Attack description

The attack intends to brute force encrypted data per block, exploiting several properties of the CBC (Cipher-Block Chaining) operation mode used to encrypt data. 14 requests are necessary to decrypt each byte of data, making the attack very verbose.

The operation is similar to blind attacks techniques and successful exploitation relies on error messages sent by the server in specific circumstances.

These error messages are sent through the standard SOAP fault mechanism. This mechanism sends out two XML elements : <faultcode> and <faultstring>. The latest is exploited in the attack in the case the servers sends back the element below:

<faultstring>WSDoAllReceiver: security processing failed</faultstring>


rWeb 4.0 can natively mitigate the attack by stripping out the <faultcode> and <faultstring> elements in the outgoing traffic, from the Canonization & Transformation panel of XML Security policies.

In rWeb 3.x UBT must be used to prevent multiple accesses to the same Web Service from a single source in a short amount of time.

Deny All

The Deny All Research Center (DARC) is an internal division of Deny All, which focuses on threat analysis and mitigation. Over the last 10 years, this department's research has contributed to the design of state-of-the art Web application security solutions. More information on Deny All can be found at www.denyall.com

Press releases you might also be interested in

Weitere Informationen zum Thema "Sicherheit":

WSUS-Tipps zur Fehlersuche und Fehlerbehebung

Funk­tio­niert die Up­da­te-Ver­tei­lung mit WSUS nicht kor­rekt, kann man mit Tools und ei­ner struk­tu­rier­ten Vor­ge­hens­wei­se über­prü­fen, wo das Pro­b­lem liegt, und wie es sich lö­sen lässt. Wir zei­gen in die­sem Vi­deo-Tipp die kor­rek­te Vor­ge­hens­wei­se zum WSUS-Trou­b­les­hoo­ting und wie man Be­rich­te zum WSUS-Ein­satz ab­ruft.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.