axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date Wed, 26 Nov 2014 20:13:36 GMT
AXIS-2.1.5 wsdl2java<bat/sh> will handle which XMLReader you will implement..here is
doc:
org.apache.axis2.wsdl.WSDL2Java --helpUsage: WSDL2Java [options] -uri <url or path>
: A url or path to a WSDL
where [options] include:  -o <path>                Specify a directory path for the
generated code.  -a                       Generate async style code only (Default: off). 
-s                       Generate sync style code only (Default: off). Takes precedence over
-a.  -p <pkg1>                Specify a custom package name for the generated code.
  -l <language>            Valid languages are java and c (Default: java).  -t     
                 Generate a test case for the generated code.  -ss                      Generate
server side code (i.e. skeletons) (Default:off).  -sd                      Generate service
descriptor (i.e. services.xml). (Default: off). Valid with -ss.  -d <databinding>  
      Valid databinding(s) are adb, xmlbeans, jibx and jaxbri (Default: adb).  -g        
              Generates all the classes. Valid only with -ss.  -pn <port_name>     
    Choose a specific port when there are multiple ports in the wsdl.  -sn <service_name>
      Choose a specific service when there are multiple services in the wsdl.  -u        
              Unpacks the databinding classes  -r <path>                Specify a repository
against which code is generated.
-ns2p ns1=pkg1,ns2=pkg2  Specify a custom package name for each namespace specified in the
wsdls schema.  -ssi                     Generate an interface for the service implementation(Default:
off).  -wv <version>            WSDL Version. Valid Options : 2, 2.0, 1.1  -S <path>
               Specify a directory path for generated source  -R <path>            
   Specify a directory path for generated resources  -em <file path>          Specify
an external mapping file  -f                       Flattens the generated files  -uw     
                Switch on un-wrapping.  -xsdconfig <file path>   Use XMLBeans .xsdconfig
file. Valid only with -d xmlbeans.  -ap                      Generate code for all ports 
-or                      Overwrite the existing classes  -b                       Generate
Axis 1.x backward compatible code.  -sp                      Suppress namespace prefixes (Optimzation
that reduces size of soap request/response)  -E<key> <value>          Extra configuration
options specific to certain databindings. Examples:                           -Ebindingfile
<path>                                (for jibx) - specify the file path for the binding
file                           -Etypesystemname <my_type_system_name> (for xmlbeans)
- override the randomly generated type system name                           -Ejavaversion
1.5                      (for xmlbeans) - generates Java 1.5 code (typed lists instead of
arrays)                           -Emp <package name> (for ADB) - extension mapper package
name                           -Eosv (for ADB) - turn off strict validation.             
             -Ewdc (for xmlbeans) - Generate code with a dummy schema. if someone use this
option                              they have to generate the xmlbeans code seperately ith
the scomp command comes with the                              xmlbeans distribution and replace
the Axis2 generated classes with correct classes  --noBuildXML             Dont generate the
build.xml in the output directory  --noWSDL                 Dont generate WSDLs in the resources
directory  --noMessageReceiver      Dont generate a MessageReceiver in the generated sources
 --http-proxy-host <host> Proxy host address if you are behind a firewall  --http-proxy-port
<port> Proxy port address if you are behind a firewall  -ep <package-name-list>
 Exclude packages - these packages are deleted after code generation  -sin <interface-name>
   Skeleton interface name - used to specify a name forskeleton interface other than the default
one  -scn <class-name>        Skeleton class name - used to specify a name for skeleton
class other than the default one                           -EbindingFileName <path>
              (for jaxbri) - specify the file path for the episode file  -oaa <override-absolute-address>
 -change the absolute http addresses to local file addresses generated by wsdl2java tool 
-ebc <exception-base-class>  -generated Exceptions are inherited from this exception
rather than the java.lang.Exception class  -uon <use-operation-name>  -by default the
first letter of the generated method name changeed to lowercase. This option stops that and
make it same as operation name
Use default style of adb
the stubs service and client and build.xml will be generated for you afterwards
Martin Gainty 
______________________________________________ 
                                                                                         
       


Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date: Wed, 26 Nov 2014 14:06:04 -0500
From: sselvia@datamentors.com
To: mgainty@hotmail.com; java-user@axis.apache.org

Martin, I’ve enabled DEBUG logging for Axis2, I can see the DOCTYPE is not allowed.  So
as you suggest, I need to create my own message listener to trap this AxisFault with the XMLStreamReader?
  Thanks, Scott [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
setAction New action is (urn:helloMethod)|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
createSOAPEnvelope using Builder (class org.apache.axis2.builder.SOAPBuilder) selected from
type (application/soap+xml)|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
char set encoding set from default =UTF-8|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
org.apache.axis2.AxisFault: javax.xml.stream.XMLStreamException: DOCTYPE is not allowed|#]
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] isFaultRedirected:
FaultTo is null. Returning isReplyRedirected|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] isReplyRedirected:
ReplyTo is null. Returning false|#] [#|2014-11-26T12:59:39.049-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG]
getAction (null) from org.apache.axis2.client.Options@2c82fe4f|#]  From: Martin Gainty [mailto:mgainty@hotmail.com]

Sent: Wednesday, November 26, 2014 12:09 PM
To: java-user@axis.apache.org; Scott Selvia
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing 1)DTDs not been supported
by axis for at least 10 years and any/all attempts to implement DTDs will
fubar your axis default installation
you *can* install your own incoming/outgoing message receivers in the messageReceivers in
axis2.xml
  <messageReceivers>
        <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only"
                         class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/>
        <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"
                         class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
        <messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-only"
                         class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/>
        <messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-out"
                         class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
    </messageReceivers>
if for any reason you want to accomodate a different content-type then add that messageFormatter
here in axis2.xml
  <messageFormatters>
        <messageFormatter contentType="application/x-www-form-urlencoded"
                         class="org.apache.axis2.transport.http.XFormURLEncodedFormatter"/>
        <messageFormatter contentType="multipart/form-data"
                         class="org.apache.axis2.transport.http.MultipartFormDataFormatter"/>
        <messageFormatter contentType="application/xml"
                         class="org.apache.axis2.transport.http.ApplicationXMLFormatter"/>
        <messageFormatter contentType="text/xml"
                         class="org.apache.axis2.transport.http.SOAPMessageFormatter"/>
        <messageFormatter contentType="application/soap+xml"
                         class="org.apache.axis2.transport.http.SOAPMessageFormatter"/>
    </messageFormatters>
2)if your concern is MIM attack by someone sharking the line
look into encrypting/decrypting your messages with Rampart Security module (i like bouncycastle
security provider)
http://axis.apache.org/axis2/java/rampart/download/1.6.2/download.cgi

OWASP Testing guideline might prove useful:
https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)

Personal Note; when working at the bank use of search engines was banned..now i know why

Happy Thanksgiving All
Martin
______________________________________________                                           
                                                       

Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date: Wed, 26 Nov 2014 10:40:40 -0500
From: sselvia@datamentors.com
To: java-user@axis.apache.orgBrando, It is our service so we have access to the service code,
what I’m not getting is catching the exception.  Can you point me to some examples? Thanks,
Scott From: Arguello, Brando [mailto:Brando.Arguello@gdc4s.com] 
Sent: Wednesday, November 26, 2014 10:31 AM
To: java-user@axis.apache.org
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, If you have
access to the service one option is..On the service side, catch the exception, extract the
information you need and return an object so it goes through the regular “OutFlow” phase
instead of the “FaultFlow” If you don’t have access to the service ..Can you add a handler
on the “InFlow” phase of your client to intercept the response and  filter out the leakage
and then proceed to your client? Regards.-brando From: Scott Selvia [mailto:sselvia@datamentors.com]

Sent: Wednesday, November 26, 2014 9:53 AM
To: java-user@axis.apache.org
Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are running security
tests on our Axis2 1.6.2 web services.  It has been pointed out that we have an OWASP information
leakage and I’m trying to figure out how to solve this.  We intercept the SOAP request and
<?xml version=”1.0” encoding=”utf-8”?><!DOCTYPE foo [ to the request.  The
response generated is being flagged as an information leakage:  <soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLStreamException:
DOCTYPE is not allowed</faultstring> I’m trying to gather information to mitigate
the finding: 1.       Is the https://hostname/axis2/services/MyWebService?wsdl with the “axis2/services”
in the URL a problem and/or2.       Being able to capture the XMLStreamException and respond
with an appropriate non-descriptive message. How can we change the “axis2/services” endpoint?
Since we don’t even get the request in our code, how do we trap or override the request
coming into the web service engine?    		 	   		  
Mime
View raw message