Copyright © 2009 Open Geospatial Consortium, Inc. 23
Modification of messages
This type of attack is exercised by an adversary to produce an unauthorized effect by modifying the content of a message while in transit. The successful
completion of the attack requires that the modification is not detected by the receiver. Modification attacks try to take advantage over vulnerabilities that exist
in implementing Integrity.
Denial of service
This type of attack is exercised by an adversary to prevent other entities to use a service when required. For a Service Oriented Architecture, the attacker can
either suppress all traffic to the service e.g. firewall drops network packages or produce that much traffic to the service that it prevents processing of legitimate
requests. For Web Services operating on XML messages, it is also possible to send fraudulent messages to the service such that processing of the request
consumes all or significant amount of resources of the service e.g. CPU, memory, sockets, etc..
7.3.1 Denial of Service Attacks applicable to OGC Web Services
Attacks to web services can occur on different layers of the ISOOSI model. For this ER we assume that countermeasures are in place for denial of service attacks or all layers
below the application layer. So for example, we assume that countermeasures are in place that prevent the well-known syn-flood attack direct or distributed that result from a
fraudulent TCP-handshake, where the client suppresses the final ACK. This typically causes an overflow of the connection table, which ends in rejection of further perhaps
legitimate connection requests.
Attacks for web services that take place on the application layer of the ISOOSI model are typically based on corrupted XML input messages. There selective corruption can
aim at malfunctioning of different software components of the underlying hardware infrastructure.
1 Attack on XML validation
Before an XML formatted input message is accepted by the service, it is typically validated. Basically two options are supported by XML: First of all, the parser can use
the XSD from the ―schemaLocation‖ attribute. This is dangerous as the adversary can reference his own corrupted XSD to make the message become valid, even it is not.
A possible countermeasure is to configure the parser to use a locally stored and trusted XSD to verify the structure of the received XML formatted input message.
2 Attack on XML processing
One common attack is to use entity expansion by injecting DTD based definitions in the XML formatted input message. This will result in a high memory consumption by the
parsing process with the side-effect that other processes or threads do not have enough memory or might not be scheduled by the operating system. If the parser is accepting
DTD content in the XML formatted input message, the adversary can easily create a 100
24 Copyright © 2009 Open Geospatial Consortium, Inc.
byte large input messages that can blow up to 100MB when processed. An example of such an input message is shown below. When processed, it will be expanded to 106
Secure Sensor Web ER9.
A possible countermeasure is to reject XML messages if they contain DOCTYPE snippets.
?xml version
= 1.0
encoding =
iso-8859-1 ?
DOCTYPE foobar [
ELEMENT foobar
PCDATA ENTITY
x0 Secure Sensor Web ER
ENTITY x1
x0;x0;x0;x0;x0;x0;x0;x0;x0;x0; ENTITY
x2 x1;x1;x1;x1;x1;x1;x1;x1;x1;x1;
ENTITY x3
x2;x2;x2;x2;x2;x2;x2;x2;x2;x2; ENTITY
x4 x3;x3;x3;x3;x3;x3;x3;x3;x3;x3;
ENTITY x5
x4;x4;x4;x4;x4;x4;x4;x4;x4;x4; ENTITY
x6 x5;x5;x5;x5;x5;x5;x5;x5;x5;x5;
] foobar
x6; foobar
Figure 4: Use of DTD entity expansion to attack XML processing 3 Attack on the application logic
This kind of attack is extremely promising for the adversary as defense is only possible through application specific countermeasures. However, it requires the adversary to be
some kind of an expert, as the attacks are application specific. One example for a malicious WFS or WMS input request can use repetition of layer parameters. So for
example instead of requesting a map from layer A, the adversary can request layers A{,A}. Or for a WFS for example, an adversary could create an extremely complex
FILTER statement that causes the consumption of all existing resources. According to the principles of Boolean expressions, a true statement can be expressed as A==A or
AA==AA|Â. But more dangerous for OGC filter expressions is the vulnerability to extend the Boolean logic using geometries. For example, an adversary can take advantage
over the fact that geometry A equals A.intersectA . If then the number of points in A is some 1,000,000 or the polygon has some 1,000,000 holes, processing of the intersect
operation becomes quite resource consuming.
A possible countermeasure is to do a good sanity check on all incoming request before dispatching it for local processing.
4 Attack on the database logic
This kind of attack focuses on SQL code injection to cause the database logic consume all free resources of the system. The OGC FILTER standards seems to be vulnerable
against these attacks if the implementation does not do a sanity check on the SQL statement that is created from the WFS request.
Copyright © 2009 Open Geospatial Consortium, Inc. 25
A possible countermeasure is to do a good sanity check on the SQL statement dispatching it to the database.
7.3.2 Example Attacks applicable to XMPP Servers