RE: How to Solve Axis2 Information Leakage from OWASP Testing

Wed, 26 Nov 2014 07:56:27 -0800 

Scott,

What OWASP seems to be flagging is the 
"<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLStreamException:"

In your service..

theObjectYourMethodReturns yourMethod(.....) {

try {
.... The implementation ....
} catch (The exception e) {
  Log exception..
  return theObjectYourMethodReturns.setExceptionReason(e.getMessage);   (catch 
exception and set reason in returned object)

}
return theObjectYourMethodReturns;  (if no exception this returns with whatever 
your implementation requires)
}

From: Scott Selvia [mailto:[email protected]]
Sent: Wednesday, November 26, 2014 10:41 AM
To: [email protected]
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing

Brando,

It is our service so we have access to the service code, what I'm not getting 
is catching the exception.  Can you point me to some examples?

Thanks,

Scott

From: Arguello, Brando [mailto:[email protected]]
Sent: Wednesday, November 26, 2014 10:31 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing

Scott,

If you have access to the service one option is..
On the service side, catch the exception, extract the information you need and 
return an object so it goes through the regular "OutFlow" phase instead of the 
"FaultFlow"

If you don't have access to the service ..
Can you add a handler on the "InFlow" phase of your client to intercept the 
response and  filter out the leakage and then proceed to your client?

Regards.
-brando

From: Scott Selvia [mailto:[email protected]]
Sent: Wednesday, November 26, 2014 9:53 AM
To: [email protected]<mailto:[email protected]>
Subject: How to Solve Axis2 Information Leakage from OWASP Testing

We are running security tests on our Axis2 1.6.2 web services.  It has been 
pointed out that we have an OWASP information leakage and I'm trying to figure 
out how to solve this.  We intercept the SOAP request and <?xml version="1.0" 
encoding="utf-8"?><!DOCTYPE foo [ to the request.  The response generated is 
being flagged as an information leakage:  
<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLStreamException:
 DOCTYPE is not allowed</faultstring>

I'm trying to gather information to mitigate the finding:


1.       Is the https://hostname/axis2/services/MyWebService?wsdl with the 
"axis2/services" in the URL a problem and/or

2.       Being able to capture the XMLStreamException and respond with an 
appropriate non-descriptive message.

How can we change the "axis2/services" endpoint?

Since we don't even get the request in our code, how do we trap or override the 
request coming into the web service engine?

Reply via email to