XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany
It addresses security flaws in a critical healthcare system, offering practical solutions for practitioners, though it is incremental as it builds on existing research.
The paper investigated XML Signature Wrapping vulnerabilities in Germany's Personal Health Record system, identifying deficiencies in defenses and proposing a guideline for more secure processing.
XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-world contemporary example as motivation, we introduce a guideline for more secure XML signature processing that provides practitioners with easier access to the effective countermeasures identified in the current state of research.