Attacks on Web Services and Single Sign-On

25.06.20115, 15:00 – 16:30

2015/06/25 15:00-16:30

Speaker: Dr. Juraj Somorovsky | Location: Mornewegstraße 32 (S4|14), Room 3.1.01, Darmstadt

Organizer: Giorgia Azzurra Marson / Nina Bindel

Abstract

Web Services and Single Sign-On are major technologies employed in a large number of major web applications, ranging from business communications, eCommerce, and financial services over healthcare applications to governmental and military infrastructures. In this talk, we will give an overview on various Web Service and Single Sign-On specific attacks. The attacks can be used to affect availability of Web servers (Denial-of-Service attacks), or they can break integrity and confidentiality of the exchanged messages. Even though the attacks are specific to the presented technologies, their ideas can be ported to other standards as well. At the end, we will present a penetration testing tool called WS-Attacker, and how to use this tool to execute movie-style attacks breaking message confidentiality.

Short Bio

Juraj Somorovskyfinished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and cryptographic attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.