CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

Description
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
Extended Description

When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.

Severity :

High

Possibility :

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-115: Authentication Bypass Authentication Bypass
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Web services check the signature of the API calls
  • Authentication tokens / secrets are shared between the server and the legitimate client
  • The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.
  • An iterative hash function like MD5 and SHA1 is used.
  • An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.
  • The communication channel between the client and the server is not secured via channel security such as TLS
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-290: Authentication Bypass by Spoofing

CWE-328: Use of Weak Hash

Visit http://capec.mitre.org/ for more details.