[
https://issues.apache.org/jira/browse/WSS-465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-465.
-----------------------------------
> Possible information leak: incremental IDs
> ------------------------------------------
>
> Key: WSS-465
> URL: https://issues.apache.org/jira/browse/WSS-465
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.6.9
> Environment: CXF 2.7.3, XMLsec 1.5.3
> Reporter: Marco Stettler
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.12
>
>
> We had a security audit, and one of the points listed is as follow:
> The "Signature ID" and "Reference URI ID" are incremental. From this fact it
> can be deduced whether and how much the service will be used. The number
> varies only minimally, the service is hardly used the observed time. However,
> the number rises noticeably within a short time, so the service is already
> under load. At such a time a DoS attack, for example, would achieve
> particularly infuriating effect.
> Couldnt this IDs be randomized? Or incremental by request (not "static" in
> the VM)?
> What i saw in the code is, that theres already a interface "WsuIdAllocator",
> with a anonymous implementation in the class "WSSConfig". But theres no
> proper way to override this implementation as the extension point is missing
> (or i'm missing it :).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
