New attacks on XML Signatures

Global

Supervision: Vladislav Mladenov, Juraj Somorovsky

Start date: sofort

Duration: 3 Monate

More details:

Description

To protect the integrity and authenticity of XML documents, W3C designed the XML Signature standard. XML Signature is a flexible but complex standard; the validation of XML Signatures involves URI-based dereferencing, XML canonicalization, two-step hash value computation, and evaluation of a cryptographic function. Once the signature is validated over a specific element, the application has to ensure that it indeed uses this signed element. If this is not enforced, XML Signature Wrapping attacks can be executed.

The goal of this thesis is to analyze common XML Signature frameworks (e.g., for validating SAML messages) and their vulnerability to XML Signature Wrapping. The crucial question is how the XML Signature framework provides the information about the validated elements and how the application logic ensures that it only processes the validated contents.

The goal of this thesis is to set up current XML Signature validation frameworks in dockerized environments and analyze their XML Signature Wrapping coutnermeasures.

Requirements

Erfolgreiche Teilnahme an den Veranstaltungen Netzsicherheit 2 oder XML- und Webservices