axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vijeya Aravindan (Created) (JIRA)" <axis-...@ws.apache.org>
Subject [jira] [Created] (AXIS-2868) Invalid Input passed in by the user for an input argument is reflected in the output when Axis throws the exception to the caller
Date Wed, 18 Jan 2012 18:18:41 GMT
Invalid Input passed in by the user for an input argument is reflected in the output when Axis
throws the exception to the caller
---------------------------------------------------------------------------------------------------------------------------------

                 Key: AXIS-2868
                 URL: https://issues.apache.org/jira/browse/AXIS-2868
             Project: Axis
          Issue Type: Bug
          Components: Distribution
    Affects Versions: 1.4
         Environment: Any OS
            Reporter: Vijeya Aravindan


This issue was reported by our security team post audit and hence creating this tik:

1) Our Soap service is layered on Axis and the stub and skeletons are auto generated by feeding
the WSDL and XSD to Axis wsdl2java.
2) The Axis layer validates the type of the input parameter coming in as part of the request
against the types defined in the XSD.
3) In this case, for a parameter defined as long in the xsd, the Security team passed in a
String parameter. Axis threw a Java Number Format Exception as expected and the String parameter
passed as the invalid input got reflected in the output response as part of this exception
4) The response in this case is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>For input string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"</faultstring>
         <detail>
         java.lang.NumberFormatException: For input string: "invalid string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"

The concern from our Security Team is that "This may lead to XSS attack if the consumer of
the service does not perform output encoding". 

5) Since this validation is done by Axis Skeleton layer even before the call back comes to
the user defined registered implementation, upon recommendation from our Security team, we
request Axis team to sanitize this output to prevent the actual invalid string from appearing
in the output response.

Thanks,
Vijey

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message