XML Signature Wrapping Still Considered Harmful: A Case Study on the   Personal Health Record in Germany

Paul H\"oller; Alexander Krumeich; Luigi Lo Iacono

arXiv:2106.10460·cs.CR·June 22, 2021

XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany

Paul H\"oller, Alexander Krumeich, Luigi Lo Iacono

PDF

Open Access

TL;DR

This paper examines the persistent threat of XML Signature Wrapping in web services, using a German Personal Health Record system as a case study, and proposes guidelines for improved XML signature security.

Contribution

It provides a current case study on XSW vulnerabilities and introduces practical guidelines for more secure XML signature processing in SOAP-based web services.

Findings

01

Identified deficiencies in defending against XSW attacks

02

Developed a guideline for secure XML signature processing

03

Highlighted the ongoing relevance of XSW threats

Abstract

XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-world contemporary example as motivation, we introduce a guideline for more secure XML signature processing that provides practitioners with easier access to the effective countermeasures identified in the current state of research.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsCloud Data Security Solutions · Access Control and Trust · Data Quality and Management