W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2010

Xpath wrapping attack

From: Pratik Datta <pratik.datta@oracle.com>
Date: Thu, 28 Oct 2010 10:49:38 -0700 (PDT)
Message-ID: <0661fce5-a1d6-41c9-a6ab-2cacf7f26155@default>
To: public-xmlsec@w3.org
Related to my ACTION-680

To prevent the XPath wrapping attack in Exclusive canonicalization, we have modified the definition of "visibly utilizes" in Exclusive canonicalization, so that is also considers prefixes in the XPath expressions.

I.e. if there is an XPath expression like this
  <dsig2:IncludedXPath>/soap:Envelope/soap:Body</dsig2:IncludedXPath>

Then the "soap" prefix will also be considered as visibly utilized. 


Currently we have a mechanism for defining text nodes that may contain qname, using the <c14n2:QNameAware> element, but this only for text nodes whose entire content is a QName, it does not do any scanning.  So I propose that we add a new sub element to QNameAware and call it "<c14n2:XPathElement>. This would be used to identify elements that contain XPaths

e.g.
<c14n2:QNameAware>
  <c14n2:XPathElement Name="IncludedXPath" NS="http://www.w3.org/2010/xmldsig2#"/>
  <c14n2:XPathElement Name="ExcludedXPath" NS="http://www.w3.org/2010/xmldsig2#"/>
</c14n2:QNameAware>


The C14N 2.0 algorithm will do special processing for all elements identified in a such away, i.e. it will scan the text context for prefixes, ignoring quoted content.

Note this will be an "implicit" parameter, i.e. The signature will always pass in IncludedXPath and ExludedXPath as qname aware xpath elements to C14N 2.0, even if they are not specified in the signature. Very much like how we implicitly exclude the Signature element.


Pratik
Received on Thursday, 28 October 2010 17:50:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 October 2010 17:50:57 GMT