cybersecurity

What is XML Signature Wrapping Attack? Ways to Exploit, Examples and Impact

Learn how XML Signature Wrapping (XSW) attacks work, explore exploitation techniques in SAML/SOAP, and discover how to secure your web services.

Mahesh

6 min read
What is XML Signature Wrapping Attack? Ways to Exploit, Examples and Impact

In the world of web services and Single Sign-On (SSO) protocols, XML signatures are the bedrock of trust. They ensure that the data exchanged between parties hasn't been tampered with and truly originates from the claimed sender. However, a sophisticated class of vulnerabilities known as XML Signature Wrapping (XSW) attacks can shatter this trust. By manipulating the structure of an XML document without breaking the cryptographic signature, an attacker can trick an application into processing unauthorized commands or impersonating legitimate users.

Understanding the Basics of XML Signatures

Before diving into the exploitation of XML Signature Wrapping, it is essential to understand how XML signatures (XMLDSig) work. Unlike a simple file signature, an XML signature is designed to sign specific parts of a document. This flexibility is both a feature and a security challenge.

The Anatomy of an XML Signature

An XML signature typically consists of several key components within a <Signature> element:

  1. SignedInfo: This contains the actual information being signed. It includes references to the parts of the document being protected.
  2. CanonicalizationMethod: XML is whitespace-sensitive and can be represented in multiple ways. This method ensures the XML is converted to a standard format before signing.
  3. SignatureMethod: The algorithm used to create the signature (e.g., RSA-SHA256).
  4. Reference: This is the most critical part for XSW. It contains a URI (usually pointing to an ID attribute) that identifies which element is signed, along with a DigestValue (a hash of that element).
  5. SignatureValue: The actual cryptographic signature of the SignedInfo block.
  6. KeyInfo: Information about the key used to sign the document.

In a typical SOAP or SAML message, the signature protects an Assertion or a Body element. The security logic is simple: the server verifies the signature, and if it's valid, the application logic processes the data. The vulnerability arises when these two steps—verification and processing—look at different parts of the document.

What is an XML Signature Wrapping (XSW) Attack?

XML Signature Wrapping (XSW) is a technique where an attacker moves the original, signed content to a different location within the XML document and inserts a new, malicious element in its place. Because the original element is still present and its signature is valid, the signature verification logic passes. However, the application logic, which often uses less stringent methods to find the data it needs (like searching for the first occurrence of a specific tag), processes the malicious, unsigned element instead.

This discrepancy between the Validation Logic (the component that checks the signature) and the Business Logic (the component that uses the data) is the core of the XSW vulnerability.

How XML Signature Wrapping Attacks Work

To understand the mechanics, let's look at the two primary ways applications locate elements in an XML document:

  1. ID-based Referencing: The signature points to an element via an ID (e.g., URI="#element1"). The validator finds the element with that ID and checks the hash.
  2. Path-based Referencing (XPath): The application logic might use an XPath expression like //saml:Assertion to find the data it needs to process.

An XSW attack exploits the fact that while the validator is satisfied because the element with ID="element1" is valid, the application logic might grab a different Assertion element that the attacker injected earlier in the document.

Common Types of XSW Attacks

Security researchers have categorized XSW attacks into several variants based on where the malicious and original elements are placed. Here are the most common types:

XSW1: Simple Wrapping

In an XSW1 attack, the attacker adds a wrapper element that contains the original signed element. The malicious element is then placed outside this wrapper but within the expected path for the application logic.

<Response>
  <MaliciousElement ID="evil"> ... </MaliciousElement>
  <Wrapper>
    <OriginalSignedElement ID="original"> ... </OriginalSignedElement>
  </Wrapper>
  <Signature>
    <Reference URI="#original" />
  </Signature>
</Response>

XSW2: Wrapping with Extension

This is similar to XSW1, but the original element is placed inside an extension or a secondary header that the validator ignores but the application logic might skip over when looking for the "real" payload.

XSW3: Malicious Element in Header

In this scenario, the attacker places the malicious element in a location that is processed first by the application (like a SOAP Header), while the original signed element remains in the Body. If the application logic is configured to take the first instance of a tag it finds, it will process the header and ignore the body.

XSW4: Original Element in Header

Conversely, the attacker might move the original signed element to the Header and put the malicious element in the Body. If the validator finds the signed element in the Header and approves the message, but the business logic only processes the Body, the attack succeeds.

XSW5 and XSW6: Duplicate ID Attacks

These attacks exploit how different XML parsers handle multiple elements with the same ID attribute. The attacker provides two elements with the same ID. The validator might check the second one (the original), while the application logic processes the first one (the malicious one).

Step-by-Step Exploitation Example: SAML SSO Bypass

Let's walk through a practical example involving a SAML (Security Assertion Markup Language) response. SAML is widely used for Single Sign-On.

1. The Original Message

A legitimate identity provider sends a signed assertion stating that "Alice" is logged in.

<samlp:Response ID="_123">
  <saml:Assertion ID="_abc">
    <saml:Subject>Alice</saml:Subject>
  </saml:Assertion>
  <ds:Signature>
    <ds:SignedInfo>
      <ds:Reference URI="#_abc" />
    </ds:SignedInfo>
    <ds:SignatureValue>...base64_sig...</ds:SignatureValue>
  </ds:Signature>
</samlp:Response>

2. The Attacker's Modification

The attacker intercepts this message. They want to log in as "Admin". They modify the message by wrapping the original assertion and inserting a new one.

<samlp:Response ID="_123">
  <!-- The Malicious Assertion inserted by the attacker -->
  <saml:Assertion ID="_evil">
    <saml:Subject>Admin</saml:Subject>
  </saml:Assertion>
  
  <Wrapper>
    <!-- The original signed assertion moved here -->
    <saml:Assertion ID="_abc">
      <saml:Subject>Alice</saml:Subject>
    </saml:Assertion>
  </Wrapper>

  <ds:Signature>
    <ds:SignedInfo>
      <ds:Reference URI="#_abc" />
    </ds:SignedInfo>
    <ds:SignatureValue>...base64_sig...</ds:SignatureValue>
  </ds:Signature>
</samlp:Response>

3. The Result

When the Service Provider (SP) receives this:

  1. The Signature Validator looks for the element with ID="_abc". It finds it inside the <Wrapper>, verifies the digest, and confirms the signature is valid.
  2. The SAML Processing Logic looks for the assertion to determine who is logging in. It often uses a simple query like //saml:Assertion. It finds the first one in the document: the "Admin" assertion.
  3. The attacker is successfully logged in as Admin.

The Impact of XSW Attacks

The impact of a successful XML Signature Wrapping attack can be catastrophic, especially in enterprise environments. Because XML signatures are often used for authentication and authorization, the consequences include:

  • Authentication Bypass: As shown in the SAML example, an attacker can impersonate any user, including administrators.
  • Privilege Escalation: An attacker with a low-privilege account can intercept their own signed token and modify it to grant themselves higher permissions.
  • Unauthorized Data Access: In SOAP-based web services, an attacker could change the parameters of a request (e.g., changing an account number) while keeping the signature valid.
  • Remote Code Execution (RCE): If the XML payload is used to trigger backend processes or shell commands, XSW could lead to full system compromise.

How to Prevent XML Signature Wrapping

Preventing XSW requires ensuring that the validation logic and the business logic are perfectly synchronized. Here are the best practices for developers and security engineers:

1. Use Position-Aware Validation

Instead of just verifying that a signed element exists somewhere in the document, the validator should verify the element's specific position. If the signature expects the assertion to be a direct child of the response, it should fail if the assertion is found inside a wrapper.

2. Strict Schema Validation

Validate the incoming XML against a strict XSD (XML Schema Definition). A well-defined schema should disallow unexpected elements like <Wrapper> or multiple <Assertion> tags. By enforcing a rigid structure, you make it much harder for an attacker to "hide" the original signed content.

3. Use One-Time Tokens and Timestamps

While not a direct fix for XSW, using short-lived tokens and unique IDs (nonces) reduces the window of opportunity for an attacker to intercept and modify a message.

4. Logic Synchronization

The most effective defense is to ensure the application logic only processes the exact elements that were cryptographically verified. Modern security libraries often provide an API that returns the "Verified Element" rather than forcing the developer to search the XML tree manually. Always use the object returned by the signature verification library.

5. Avoid XPath for Security-Critical Data

Using loose XPath expressions like //Element is dangerous. If you must use XPath, use absolute paths (e.g., /Response/Assertion) and ensure that the path matches exactly what was signed.

Conclusion

XML Signature Wrapping remains a potent threat because it exploits a fundamental architectural flaw: the gap between data verification and data usage. While XML-based protocols like SAML and SOAP are maturing, legacy systems and custom implementations often remain vulnerable to these structural manipulations. Understanding the various XSW types and implementing strict, position-aware validation is the only way to ensure that your web services remain secure against this class of attack.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.

Read more