Question & Answer
Question
How do I prevent XML Signature Wrapping attacks against my service running on an IBM WebSphere DataPower appliance?
Cause
XML Signature Wrapping allows a malicious client to modify or forge a digitally signed document without breaking the included signature. This attack is accomplished by moving the original nodeset to another location within the document and replacing the contents.
A similar approach can be used for XML Encryption Wrapping.
A similar approach can be used for XML Encryption Wrapping.
Answer
Verify and decrypt actions have settings to specify an XPath expression filter. These settings ensure that the target nodeset is protected. As a best practice, use absolute expressions that include namespaces.
/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']
The following tasks describe how to configure XPath filters in verify and decrypt actions.
For example, to protect the SOAP Body element:
/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']
The following tasks describe how to configure XPath filters in verify and decrypt actions.
Protecting against XML Signature Wrapping with a verify action
- Edit the verify action
- Click the Advanced tab
- In the XPath Expressions Which Must be Signed list, add an expression for each nodeset that must be signed.
- Click Apply
Protecting against XML Encryption Wrapping with a decrypt action
- Edit the decrypt action
- Click the Advanced tab
- In the XPath Expressions Requiring Element Encryption list, add an expression for each nodeset that must have element encryption.
- In the XPath Expressions Requiring Content Encryption list, add an expression for each nodeset that must have content encryption.
- Click Apply
Protecting SAML Assertions against XML Signature Wrapping with a verify action
Variants of XML Signature Wrapping Attacks can be used on SAML Assertions. These variant attacks are prevented with a verify action.
If you use the AAA framework to extract the identity from SAML Assertions and to verify the signature on SAML Assertions, you must add a verify action with the following configuration, before the AAA action. This configuration prevents the AAA action from processing any SAML Assertion that does not contain a valid signature.
- Add a verify action before the AAA action.
- Edit the verify action
- Click the Advanced tab
- In the XPath Expressions Which Must be Signed list, add the expression /descendant-or-self::*[local-name()='Assertion'], which denotes that all SAML Assertions in the document must be signed.
- Click Apply
[{"Product":{"code":"SS6L5J","label":"WebSphere DataPower XML Security Gateway XS40"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;3.8.2;3.8.1;3.8;5.0.0","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS6L4E","label":"WebSphere DataPower Integration Appliance XI50"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;3.8.2;3.8.1;3.8;5.0.0","Edition":"All Editions","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSHT9H","label":"WebSphere DataPower Integration Appliance XI52"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;5.0.0","Edition":"All Editions","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSQ3J2","label":"WebSphere DataPower B2B Appliance XB60"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;3.8.2;3.8.1;3.8;5.0.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSHTED","label":"WebSphere DataPower B2B Appliance XB62"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;5.0.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFGB5","label":"WebSphere DataPower Integration Blade XI50B"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;3.8.2;3.8.1;5.0.0","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNR47","label":"WebSphere DataPower Service Gateway XG45"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;5.0.0","Edition":"All Editions","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS6L5J","label":"WebSphere DataPower XML Security Gateway XS40"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;3.8.2;3.8.1;3.8;5.0.0","Edition":"All Editions","Line of Business":{"code":"","label":""}}]
Was this topic helpful?
Document Information
Modified date:
19 March 2020
UID
swg21596903