- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 2 Sep 2010 15:55:31 +0200
- To: "XMLSec WG Public List" <public-xmlsec@w3.org>
I took a close look at the new set of specs we published on August 31st, to see whether the Namespace Injection attack technique still works. The bad news: it does. The good news: but only if the developer did not use the new QNameAware parameter properly. The details: The Namespace Injection technique worked by exploiting the fact that namespace prefixes used in XPath expressions were not "visibly utilized" in the sense of Exclusive Canonicalization, hence their namespace declaration was not protected with the digest over "SignedInfo". Thus, an attacker was allowed to redefine the namespace urls those prefixes were mapping to, which was then used for performing signature wrapping. In the new specs, the proper use of the QNameAware parameter leads to explicit declaration of exactly those mappings. Hence they are covered by the digest over "SignedInfo", hence they can not be tampered with. The obvious drawback is that people have to use this parameter properly. The less obvious drawback is that support for this parameter by now is optional, according to the spec. The conclusion: The threat remains, but now there is a standardized way to fend it within the XML Signature specs themselves. It might be a good idea to have this issue being explained in the Best Practices, though. This should close my Action-538 (finally). cheers Meiko -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. ID 2/411 D-44801 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Thursday, 2 September 2010 13:56:01 UTC