A missing timestamp can leave a SOAP message open to replay attacks.
A Security timestamp indicates the freshness of a message's security data. If an attacker intercepts a message retransmits it at a later time, the receiver can reject the replay attack because the timestamp will indicate that the message is stale.
To prevent attackers from tampering with timestamps, timestamps should be signed. Without a signed timestamp, an attacker could intercept a SOAP message, modify the timestamp, and send the message on without the receiver's knowledge. Under these circumstances, an attacker can trick a recipient into accepting a malicious message.
Example 1: The following policy entry has the <MessageAge>
tag commented out.
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
...
<!-- <wssp:MessageAge/> -->
</wsp:Policy>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[5] Standards Mapping - FIPS200 - (FISMA) CM
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 254
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[8] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 311
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4
[12] Security Policy Assertion Reference BEA