CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
执行流程
步骤 1 Explore
[Find a vulnerable web service] The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed
- Read application documentation to learn about authentication schemes being used
- Observe web service traffic to look for vulnerable authentication schemes
步骤 2 Experiment
[Attempt adding padding to parameters] An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same
- Exploit the hash function extension / padding weakness with only padding to test the weakness
步骤 3 Exploit
[Add malicious parameters to request] Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.
- Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic
前提条件
- Web services check the signature of the API calls
- Authentication tokens / secrets are shared between the server and the legitimate client
- The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.
- An iterative hash function like MD5 and SHA1 is used.
- An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.
- The communication channel between the client and the server is not secured via channel security such as TLS
所需技能
所需资源
缓解措施
Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1
示例实例
To leverage an attack against the has function extension / padding weakness, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) || M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error.