1)DTDs not been supported by axis for at least 10 years and any/all attempts to
implement DTDs will
fubar your axis default installation
you *can* install your own incoming/outgoing message receivers in the
messageReceivers in axis2.xml
<messageReceivers>
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only";
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/>
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out";
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
<messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-only";
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/>
<messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-out";
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
</messageReceivers>
if for any reason you want to accomodate a different content-type then add that
messageFormatter here in axis2.xml
<messageFormatters>
<messageFormatter contentType="application/x-www-form-urlencoded"
class="org.apache.axis2.transport.http.XFormURLEncodedFormatter"/>
<messageFormatter contentType="multipart/form-data"
class="org.apache.axis2.transport.http.MultipartFormDataFormatter"/>
<messageFormatter contentType="application/xml"
class="org.apache.axis2.transport.http.ApplicationXMLFormatter"/>
<messageFormatter contentType="text/xml"
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/>
<messageFormatter contentType="application/soap+xml"
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/>
</messageFormatters>
2)if your concern is MIM attack by someone sharking the line
look into encrypting/decrypting your messages with Rampart Security module (i
like bouncycastle security provider)
http://axis.apache.org/axis2/java/rampart/download/1.6.2/download.cgi
OWASP Testing guideline might prove useful:
https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)
Personal Note; when working at the bank use of search engines was banned..now i
know why
Happy Thanksgiving All
Martin
______________________________________________
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date: Wed, 26 Nov 2014 10:40:40 -0500
From: [email protected]
To: [email protected]
Brando, It is our service so we have access to the service code, what I’m not
getting is catching the exception. Can you point me to some examples? Thanks,
Scott From: Arguello, Brando [mailto:[email protected]]
Sent: Wednesday, November 26, 2014 10:31 AM
To: [email protected]
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott,
If you have access to the service one option is..On the service side, catch the
exception, extract the information you need and return an object so it goes
through the regular “OutFlow” phase instead of the “FaultFlow” If you don’t
have access to the service ..Can you add a handler on the “InFlow” phase of
your client to intercept the response and filter out the leakage and then
proceed to your client? Regards.-brando From: Scott Selvia
[mailto:[email protected]]
Sent: Wednesday, November 26, 2014 9:53 AM
To: [email protected]
Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are
running security tests on our Axis2 1.6.2 web services. It has been pointed
out that we have an OWASP information leakage and I’m trying to figure out how
to solve this. We intercept the SOAP request and <?xml version=”1.0”
encoding=”utf-8”?><!DOCTYPE foo [ to the request. The response generated is
being flagged as an information leakage:
<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLStreamException:
DOCTYPE is not allowed</faultstring> I’m trying to gather information to
mitigate the finding: 1. Is the
https://hostname/axis2/services/MyWebService?wsdl with the “axis2/services” in
the URL a problem and/or2. Being able to capture the XMLStreamException
and respond with an appropriate non-descriptive message. How can we change the
“axis2/services” endpoint? Since we don’t even get the request in our code, how
do we trap or override the request coming into the web service engine?
