Copyright © 2009 Open Geospatial Consortium, Inc. 23 Modification of messages This type of attack is exercised by an adversary to produce an unauthorized effect by modifying the content of a message while in transit. The successful completion of the attack requires that the modification is not detected by the receiver. Modification attacks try to take advantage over vulnerabilities that exist in implementing Integrity. Denial of service This type of attack is exercised by an adversary to prevent other entities to use a service when required. For a Service Oriented Architecture, the attacker can either suppress all traffic to the service e.g. firewall drops network packages or produce that much traffic to the service that it prevents processing of legitimate requests. For Web Services operating on XML messages, it is also possible to send fraudulent messages to the service such that processing of the request consumes all or significant amount of resources of the service e.g. CPU, memory, sockets, etc..

7.3.1 Denial of Service Attacks applicable to OGC Web Services

Attacks to web services can occur on different layers of the ISOOSI model. For this ER we assume that countermeasures are in place for denial of service attacks or all layers below the application layer. So for example, we assume that countermeasures are in place that prevent the well-known syn-flood attack direct or distributed that result from a fraudulent TCP-handshake, where the client suppresses the final ACK. This typically causes an overflow of the connection table, which ends in rejection of further perhaps legitimate connection requests. Attacks for web services that take place on the application layer of the ISOOSI model are typically based on corrupted XML input messages. There selective corruption can aim at malfunctioning of different software components of the underlying hardware infrastructure. 1 Attack on XML validation Before an XML formatted input message is accepted by the service, it is typically validated. Basically two options are supported by XML: First of all, the parser can use the XSD from the ―schemaLocation‖ attribute. This is dangerous as the adversary can reference his own corrupted XSD to make the message become valid, even it is not. A possible countermeasure is to configure the parser to use a locally stored and trusted XSD to verify the structure of the received XML formatted input message. 2 Attack on XML processing One common attack is to use entity expansion by injecting DTD based definitions in the XML formatted input message. This will result in a high memory consumption by the parsing process with the side-effect that other processes or threads do not have enough memory or might not be scheduled by the operating system. If the parser is accepting DTD content in the XML formatted input message, the adversary can easily create a 100 24 Copyright © 2009 Open Geospatial Consortium, Inc. byte large input messages that can blow up to 100MB when processed. An example of such an input message is shown below. When processed, it will be expanded to 106 Secure Sensor Web ER9. A possible countermeasure is to reject XML messages if they contain DOCTYPE snippets. ?xml version = 1.0 encoding = iso-8859-1 ? DOCTYPE foobar [ ELEMENT foobar PCDATA ENTITY x0 Secure Sensor Web ER ENTITY x1 x0;x0;x0;x0;x0;x0;x0;x0;x0;x0; ENTITY x2 x1;x1;x1;x1;x1;x1;x1;x1;x1;x1; ENTITY x3 x2;x2;x2;x2;x2;x2;x2;x2;x2;x2; ENTITY x4 x3;x3;x3;x3;x3;x3;x3;x3;x3;x3; ENTITY x5 x4;x4;x4;x4;x4;x4;x4;x4;x4;x4; ENTITY x6 x5;x5;x5;x5;x5;x5;x5;x5;x5;x5; ] foobar x6; foobar Figure 4: Use of DTD entity expansion to attack XML processing 3 Attack on the application logic This kind of attack is extremely promising for the adversary as defense is only possible through application specific countermeasures. However, it requires the adversary to be some kind of an expert, as the attacks are application specific. One example for a malicious WFS or WMS input request can use repetition of layer parameters. So for example instead of requesting a map from layer A, the adversary can request layers A{,A}. Or for a WFS for example, an adversary could create an extremely complex FILTER statement that causes the consumption of all existing resources. According to the principles of Boolean expressions, a true statement can be expressed as A==A or AA==AA|Â. But more dangerous for OGC filter expressions is the vulnerability to extend the Boolean logic using geometries. For example, an adversary can take advantage over the fact that geometry A equals A.intersectA . If then the number of points in A is some 1,000,000 or the polygon has some 1,000,000 holes, processing of the intersect operation becomes quite resource consuming. A possible countermeasure is to do a good sanity check on all incoming request before dispatching it for local processing. 4 Attack on the database logic This kind of attack focuses on SQL code injection to cause the database logic consume all free resources of the system. The OGC FILTER standards seems to be vulnerable against these attacks if the implementation does not do a sanity check on the SQL statement that is created from the WFS request. Copyright © 2009 Open Geospatial Consortium, Inc. 25 A possible countermeasure is to do a good sanity check on the SQL statement dispatching it to the database.

7.3.2 Example Attacks applicable to XMPP Servers