axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Selvia" <ssel...@datamentors.com>
Subject How to Solve Axis2 Information Leakage from OWASP Testing
Date Wed, 26 Nov 2014 14:52:50 GMT
We are running security tests on our Axis2 1.6.2 web services.  It has
been pointed out that we have an OWASP information leakage and I'm
trying to figure out how to solve this.  We intercept the SOAP request
and <?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [ to the
request.  The response generated is being flagged as an information
leakage:
<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLSt
reamException: DOCTYPE is not allowed</faultstring>

 

I'm trying to gather information to mitigate the finding:

 

1.       Is the https://hostname/axis2/services/MyWebService?wsdl with
the "axis2/services" in the URL a problem and/or

2.       Being able to capture the XMLStreamException and respond with
an appropriate non-descriptive message.

 

How can we change the "axis2/services" endpoint?

 

Since we don't even get the request in our code, how do we trap or
override the request coming into the web service engine?

 

 

 


Mime
View raw message