W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2010

Signature Wrapping and Namespace Injection

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 3 Dec 2010 16:04:06 +0100
Message-ID: <4CF906E6.9010203@ruhr-uni-bochum.de>
To: "XMLSec WG Public List" <public-xmlsec@w3.org>
Regarding the long-running Action-538 of mine, I'd say that with the new
Streamable XPath profile we defined the spec provides the necessary
tools to fend signature wrapping attack as good as possible for now.
People most likely won't use it, since it's more easy to stick to
ID-based referencing or more convenient to use full XPath instead of
Streaming XPath, but we're pushing people towards the right direction.
StreamingXPath still allows the use of namespace prefixes in selection
XPaths, hence these signatures will still be exploitable using the
namespace injection technique, but we provide some new features to
counter them. First, we show people how to protect using the
[local-name() and namespace-uri()] predicate style (which is safe to
use), and secondly, we enable handling XPath prefixes in terms of
"visible utilization".

In other words: the threat is still out there, but we've done all we can
to mitigate it. Fending it would require us to mostly throw away our
backwards-compatibility requirement and nearly start from scratch.

Once Pratik's Algorithm for extracting prefixes from XPaths and treating
them as "visibly utilized" is put to the spec, I consider this action
ready to be closed. Finally ;)



Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
Universitätsstr. 150, Geb. ID 2/411
D-44801 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de
Received on Friday, 3 December 2010 15:04:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:14 UTC