Utilizing REST's Trust in the System Resource to Register Man in the Middle
Attack Pattern ID: 57 (Detailed Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description


This attack utlizes a Rest(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with a XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated.

Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.

+ Attack Prerequisites

Opportuntity to intercept must exist beyond the poing where SSL is terminated.

The attacker must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances


The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the attacker can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To insert a network sniffer or other listener into the communication stream

+ Probing Techniques

Attacker may use a network sniffer to identify authentication credentials once SSL is terminated.

+ Solutions and Mitigations

Implementation: Implement message level security such as HMAC in the HTTP communication

Design: Utilize defense in depth, do not rely on a single security mechanism like SSL

Design: Enforce principle of least privilege

+ Attack Motivation-Consequences
  • Privilege Escalation
+ Injection Vector

HTTP protocol communications

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')Targeted
287Improper AuthenticationTargeted
724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session ManagementTargeted
693Protection Mechanism FailureTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern94Man in the Middle Attack 
Mechanism of Attack (primary)1000
+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ Content History
Gunnar Peterson2007-02-28
Sean BarnumCigital, Inc2007-03-07Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description and Attack Prerequisites
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback