[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-user
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
From: Martin Gainty <mgainty () hotmail ! com>
Date: 2014-11-26 20:13:36
Message-ID: BLU172-W1443887B1AA45E5AA46E04AE700 () phx ! gbl
[Download RAW message or body]
AXIS-2.1.5 wsdl2java<bat/sh> will handle which XMLReader you will implement..here is \
doc: org.apache.axis2.wsdl.WSDL2Java --helpUsage: WSDL2Java [options] -uri <url or \
path> : A url or path to a WSDL where [options] include: -o <path> \
Specify a directory path for the generated code. -a Generate \
async style code only (Default: off). -s Generate sync style \
code only (Default: off). Takes precedence over -a. -p <pkg1> Specify \
a custom package name for the generated code.
-l <language> Valid languages are java and c (Default: java). -t \
Generate a test case for the generated code. -ss Generate \
server side code (i.e. skeletons) (Default:off). -sd Generate \
service descriptor (i.e. services.xml). (Default: off). Valid with -ss. -d \
<databinding> Valid databinding(s) are adb, xmlbeans, jibx and jaxbri \
(Default: adb). -g Generates all the classes. Valid only with \
-ss. -pn <port_name> Choose a specific port when there are multiple ports \
in the wsdl. -sn <service_name> Choose a specific service when there are \
multiple services in the wsdl. -u Unpacks the databinding \
classes -r <path> Specify a repository against which code is \
generated.
-ns2p ns1=pkg1,ns2=pkg2 Specify a custom package name for each namespace specified \
in the wsdls schema. -ssi Generate an interface for the service \
implementation(Default: off). -wv <version> WSDL Version. Valid Options : \
2, 2.0, 1.1 -S <path> Specify a directory path for generated source \
-R <path> Specify a directory path for generated resources -em <file \
path> Specify an external mapping file -f Flattens \
the generated files -uw Switch on un-wrapping. -xsdconfig \
<file path> Use XMLBeans .xsdconfig file. Valid only with -d xmlbeans. -ap \
Generate code for all ports -or Overwrite the existing classes \
-b Generate Axis 1.x backward compatible code. -sp \
Suppress namespace prefixes (Optimzation that reduces size of soap request/response) \
-E<key> <value> Extra configuration options specific to certain \
databindings. Examples: -Ebindingfile <path> \
(for jibx) - specify the file path for the binding file \
-Etypesystemname <my_type_system_name> (for xmlbeans) - override the randomly \
generated type system name -Ejavaversion 1.5 \
(for xmlbeans) - generates Java 1.5 code (typed lists instead of arrays) \
-Emp <package name> (for ADB) - extension mapper package name \
-Eosv (for ADB) - turn off strict validation. -Ewdc (for \
xmlbeans) - Generate code with a dummy schema. if someone use this option \
they have to generate the xmlbeans code seperately ith the scomp command comes with \
the xmlbeans distribution and replace the Axis2 \
generated classes with correct classes --noBuildXML Dont generate the \
build.xml in the output directory --noWSDL Dont generate WSDLs in \
the resources directory --noMessageReceiver Dont generate a MessageReceiver in \
the generated sources --http-proxy-host <host> Proxy host address if you are behind \
a firewall --http-proxy-port <port> Proxy port address if you are behind a firewall \
-ep <package-name-list> Exclude packages - these packages are deleted after code \
generation -sin <interface-name> Skeleton interface name - used to specify a name \
forskeleton interface other than the default one -scn <class-name> Skeleton \
class name - used to specify a name for skeleton class other than the default one \
-EbindingFileName <path> (for jaxbri) - specify the file path for the \
episode file -oaa <override-absolute-address> -change the absolute http addresses \
to local file addresses generated by wsdl2java tool -ebc <exception-base-class> \
-generated Exceptions are inherited from this exception rather than the \
java.lang.Exception class -uon <use-operation-name> -by default the first letter of \
the generated method name changeed to lowercase. This option stops that and make it \
same as operation name Use default style of adb
the stubs service and client and build.xml will be generated for you afterwards
Martin Gainty
______________________________________________
\
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date: Wed, 26 Nov 2014 14:06:04 -0500
From: sselvia@datamentors.com
To: mgainty@hotmail.com; java-user@axis.apache.org
Martin, I’ve enabled DEBUG logging for Axis2, I can see the DOCTYPE is not allowed. \
So as you suggest, I need to create my own message listener to trap this AxisFault \
with the XMLStreamReader? Thanks, Scott \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
setAction New action is (urn:helloMethod)|#] \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
createSOAPEnvelope using Builder (class org.apache.axis2.builder.SOAPBuilder) \
selected from type (application/soap+xml)|#] \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
char set encoding set from default =UTF-8|#] \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper|#] \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
org.apache.axis2.AxisFault: javax.xml.stream.XMLStreamException: DOCTYPE is not \
allowed|#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system \
.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] \
isFaultRedirected: FaultTo is null. Returning isReplyRedirected|#] \
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] \
isReplyRedirected: ReplyTo is null. Returning false|#] \
[#|2014-11-26T12:59:39.049-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
getAction (null) from org.apache.axis2.client.Options@2c82fe4f|#] From: Martin \
Gainty [mailto:mgainty@hotmail.com]
Sent: Wednesday, November 26, 2014 12:09 PM
To: java-user@axis.apache.org; Scott Selvia
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing 1)DTDs not \
been supported by axis for at least 10 years and any/all attempts to implement DTDs \
will fubar your axis default installation
you *can* install your own incoming/outgoing message receivers in the \
messageReceivers in axis2.xml <messageReceivers>
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only"
\
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/> <messageReceiver \
mep="http://www.w3.org/2004/08/wsdl/in-out"
\
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> <messageReceiver \
mep="http://www.w3.org/2006/01/wsdl/in-only"
\
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/> <messageReceiver \
mep="http://www.w3.org/2006/01/wsdl/in-out"
\
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> </messageReceivers>
if for any reason you want to accomodate a different content-type then add that \
messageFormatter here in axis2.xml <messageFormatters>
<messageFormatter contentType="application/x-www-form-urlencoded"
\
class="org.apache.axis2.transport.http.XFormURLEncodedFormatter"/> <messageFormatter \
contentType="multipart/form-data"
\
class="org.apache.axis2.transport.http.MultipartFormDataFormatter"/> \
<messageFormatter contentType="application/xml"
\
class="org.apache.axis2.transport.http.ApplicationXMLFormatter"/> <messageFormatter \
contentType="text/xml"
\
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/> <messageFormatter \
contentType="application/soap+xml"
\
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/> </messageFormatters>
2)if your concern is MIM attack by someone sharking the line
look into encrypting/decrypting your messages with Rampart Security module (i like \
bouncycastle security provider) \
http://axis.apache.org/axis2/java/rampart/download/1.6.2/download.cgi
OWASP Testing guideline might prove useful:
https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)
Personal Note; when working at the bank use of search engines was banned..now i know \
why
Happy Thanksgiving All
Martin
______________________________________________ \
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing
Date: Wed, 26 Nov 2014 10:40:40 -0500
From: sselvia@datamentors.com
To: java-user@axis.apache.orgBrando, It is our service so we have access to the \
service code, what I’m not getting is catching the exception. Can you point me to \
some examples? Thanks, Scott From: Arguello, Brando \
[mailto:Brando.Arguello@gdc4s.com]
Sent: Wednesday, November 26, 2014 10:31 AM
To: java-user@axis.apache.org
Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, If you \
have access to the service one option is..On the service side, catch the exception, \
extract the information you need and return an object so it goes through the regular \
“OutFlow” phase instead of the “FaultFlow” If you don’t have access to the service \
..Can you add a handler on the “InFlow” phase of your client to intercept the \
response and filter out the leakage and then proceed to your client? Regards.-brando \
From: Scott Selvia [mailto:sselvia@datamentors.com]
Sent: Wednesday, November 26, 2014 9:53 AM
To: java-user@axis.apache.org
Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are running \
security tests on our Axis2 1.6.2 web services. It has been pointed out that we have \
an OWASP information leakage and I’m trying to figure out how to solve this. We \
intercept the SOAP request and <?xml version=”1.0” encoding=”utf-8”?><!DOCTYPE foo [ \
to the request. The response generated is being flagged as an information leakage: \
<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLStreamException: \
DOCTYPE is not allowed</faultstring> I’m trying to gather information to mitigate the \
finding: 1. Is the https://hostname/axis2/services/MyWebService?wsdl with the \
“axis2/services” in the URL a problem and/or2. Being able to capture the \
XMLStreamException and respond with an appropriate non-descriptive message. How can \
we change the “axis2/services” endpoint? Since we don’t even get the request in our \
code, how do we trap or override the request coming into the web service engine? \
[Attachment #3 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><u>AXIS-2.1.5 </u>wsdl2java<bat/sh> \
will handle which XMLReader you will implement..here is \
doc:<div><br><div>org.apache.axis2.wsdl.WSDL2Java --help</div><div>Usage: WSDL2Java \
[options] -uri <url or path> : A url or path to a \
WSDL</div><div><br></div><div>where [options] include:</div><div> -o \
<path> Specify a \
directory path for the generated code.</div><div> -a \
Generate async style code \
only (Default: off).</div><div> -s \
Generate sync style code only (Default: off). \
Takes p<span style="font-size: 12pt;">recedence over -a.</span></div><div> -p \
<pkg1> Specify a custom \
package name for the generated code.</div><div><br></div><div> -l \
<language> Valid languages are java \
and c (Default: java).</div><div> -t \
Generate a test case for the generated \
code.</div><div> -ss \
Generate server side code (i.e. skeletons) (Default:<span \
style="font-size: 12pt;">off).</span></div><div> -sd \
Generate service descriptor \
(i.e. services.xml). (Def<span style="font-size: 12pt;">ault: off). Valid with \
-ss.</span></div><div> -d <databinding> Valid \
databinding(s) are adb, xmlbeans, jibx and jaxb<span style="font-size: 12pt;">ri \
(Default: adb).</span></div><div> -g \
Generates all the classes. Valid only with \
-ss.</div><div> -pn <port_name> Choose \
a specific port when there are multiple ports <span style="font-size: 12pt;">in \
the wsdl.</span></div><div> -sn <service_name> \
Choose a specific service when there are multiple ser<span style="font-size: \
12pt;">vices in the wsdl.</span></div><div> -u \
Unpacks the databinding \
classes</div><div> -r <path> \
Specify a repository against which code is \
generated.</div><div><br></div><div>-ns2p ns1=pkg1,ns2=pkg2 Specify a custom \
package name for each namespace spec<span style="font-size: 12pt;">ified in the wsdls \
schema.</span></div><div> -ssi \
Generate an interface for the service implementation<span \
style="font-size: 12pt;">(Default: off).</span></div><div> -wv <version> \
WSDL Version. Valid Options : 2, 2.0, \
1.1</div><div> -S <path> \
Specify a directory path for generated source</div><div> -R <path> \
Specify a directory path for \
generated resources</div><div> -em <file path> \
Specify an external mapping file</div><div> -f \
Flattens the generated \
files</div><div> -uw \
Switch on un-wrapping.</div><div> -xsdconfig <file \
path> Use XMLBeans .xsdconfig file. Valid only with -d xmlb<span \
style="font-size: 12pt;">eans.</span></div><div> -ap \
Generate code for all \
ports</div><div> -or \
Overwrite the existing classes</div><div> -b \
Generate Axis 1.x \
backward compatible code.</div><div> -sp \
Suppress namespace prefixes (Optimzation \
that reduces <span style="font-size: 12pt;">size of soap \
request/response)</span></div><div> -E<key> <value> \
Extra configuration options specific to certain datab<span \
style="font-size: 12pt;">indings. Examples:</span></div><div> \
\
-Ebindingfile <path> \
</div><div> (for jibx) - \
s<span style="font-size: 12pt;">pecify the file path for the binding \
file</span></div><div> \
-Etypesystemname <my_type_system_name> (for \
xmlbeans)</div><div> - override the randomly generated type system \
name</div><div> \
-Ejavaversion 1.5 \
(for xmlbeans)</div><div> - generates \
Java 1.5 code (typed lists instead of arrays)</div><div> \
-Emp <package \
name> (for ADB) - extension mapper pack<span style="font-size: 12pt;">age \
name</span></div><div> \
-Eosv (for ADB) - turn off strict \
validation.</div><div> \
-Ewdc (for xmlbeans) - Generate code with a dummy \
sch<span style="font-size: 12pt;">ema. if someone use this \
option</span></div><div> \
they have to generate the xmlbeans \
code seperately <span style="font-size: 12pt;">ith the scomp command comes with \
the</span></div><div> \
xmlbeans distribution and replace the Axis2 \
genera<span style="font-size: 12pt;">ted classes with correct \
classes</span></div><div> --noBuildXML \
Dont generate the build.xml in the output directory</div><div> --noWSDL \
Dont generate WSDLs in the \
resources directory</div><div> --noMessageReceiver Dont \
generate a MessageReceiver in the generated sour</div><div>ces</div><div> \
--http-proxy-host <host> Proxy host address if you are behind a \
firewall</div><div> --http-proxy-port <port> Proxy port address if you \
are behind a firewall</div><div> -ep <package-name-list> Exclude \
packages - these packages are deleted after c<span style="font-size: 12pt;">ode \
generation</span></div><div> -sin <interface-name> Skeleton \
interface name - used to specify a name for<span style="font-size: 12pt;">skeleton \
interface other than the default one</span></div><div> -scn <class-name> \
Skeleton class name - used to specify a name for skel<span \
style="font-size: 12pt;">eton class other than the default \
one</span></div><div> \
-EbindingFileName <path> \
(for jaxbri) - <span style="font-size: \
12pt;">specify the file path for the episode file</span></div><div> -oaa \
<override-absolute-address> -change the absolute http addresses to \
local <span style="font-size: 12pt;">file addresses generated by wsdl2java \
tool</span></div><div> -ebc <exception-base-class> -generated \
Exceptions are inherited from this exc<span style="font-size: 12pt;">eption rather \
than the java.lang.Exception class</span></div><div> -uon \
<use-operation-name> -by default the first letter of the generated \
metho<span style="font-size: 12pt;">d name changeed to lowercase. This option stops \
that and make it same as operati</span><span style="font-size: 12pt;">on \
name</span></div><br>Use default style of adb<br>the stubs service and client and \
build.xml will be generated for you afterwards</div><div><br>Martin Gainty \
<br>______________________________________________ <br><pre style=""> \
</pre><br><br><br><div><hr id="stopSpelling">Subject: RE: How to Solve Axis2 \
Information Leakage from OWASP Testing<br>Date: Wed, 26 Nov 2014 14:06:04 \
-0500<br>From: sselvia@datamentors.com<br>To: mgainty@hotmail.com; \
java-user@axis.apache.org<br><br><style><!--
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass \
div.ecxMsoNormal { font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink {
color:blue;
text-decoration:underline;
}
.ExternalClass span.ecxMsoHyperlinkFollowed {
color:purple;
text-decoration:underline;
}
.ExternalClass p {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass pre {
font-size:10.0pt;
font-family:"Courier New";
}
.ExternalClass span.ecxHTMLPreformattedChar {
font-family:"Consolas","serif";
}
.ExternalClass p.ecxmsonormal, .ExternalClass li.ecxmsonormal, .ExternalClass \
div.ecxmsonormal { font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass p.ecxmsoacetate, .ExternalClass li.ecxmsoacetate, .ExternalClass \
div.ecxmsoacetate { font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass p.ecxmsolistparagraph, .ExternalClass li.ecxmsolistparagraph, \
.ExternalClass div.ecxmsolistparagraph { font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass p.ecxmsochpdefault, .ExternalClass li.ecxmsochpdefault, .ExternalClass \
div.ecxmsochpdefault { font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass span.ecxmsohyperlink {
}
.ExternalClass span.ecxmsohyperlinkfollowed {
}
.ExternalClass span.ecxballoontextchar {
}
.ExternalClass span.ecxemailstyle20 {
}
.ExternalClass span.ecxemailstyle21 {
}
.ExternalClass span.ecxemailstyle22 {
}
.ExternalClass p.ecxmsonormal1, .ExternalClass li.ecxmsonormal1, .ExternalClass \
div.ecxmsonormal1 { font-size:11.0pt;
font-family:"Calibri","sans-serif";
}
.ExternalClass span.ecxmsohyperlink1 {
color:blue;
text-decoration:underline;
}
.ExternalClass span.ecxmsohyperlinkfollowed1 {
color:purple;
text-decoration:underline;
}
.ExternalClass p.ecxmsoacetate1, .ExternalClass li.ecxmsoacetate1, .ExternalClass \
div.ecxmsoacetate1 { font-size:8.0pt;
font-family:"Tahoma","sans-serif";
}
.ExternalClass p.ecxmsolistparagraph1, .ExternalClass li.ecxmsolistparagraph1, \
.ExternalClass div.ecxmsolistparagraph1 { font-size:11.0pt;
font-family:"Calibri","sans-serif";
}
.ExternalClass span.ecxballoontextchar1 {
font-family:"Tahoma","sans-serif";
}
.ExternalClass span.ecxemailstyle201 {
font-family:"Calibri","sans-serif";
color:windowtext;
}
.ExternalClass span.ecxemailstyle211 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}
.ExternalClass span.ecxemailstyle221 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}
.ExternalClass p.ecxmsochpdefault1, .ExternalClass li.ecxmsochpdefault1, \
.ExternalClass div.ecxmsochpdefault1 { font-size:10.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass span.ecxEmailStyle40 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}
.ExternalClass .ecxMsoChpDefault {
font-size:10.0pt;
}
.ExternalClass div.ecxWordSection1 {
}
--></style><div class="ecxWordSection1"><p class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">Martin,</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">I’ve \
enabled DEBUG logging for Axis2, I can see the DOCTYPE is not allowed. So as \
you suggest, I need to create my own message listener to trap this AxisFault with the \
XMLStreamReader? </span></p><p class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">Thanks,</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">Scott</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
setAction New action is (urn:helloMethod)</span></p><p class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
createSOAPEnvelope using Builder (class org.apache.axis2.builder.SOAPBuilder) \
selected from type (application/soap+xml)</span></p><p class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
char set encoding set from default =UTF-8</span></p><p class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
org.apache.axis2.AxisFault: javax.xml.stream.XMLStreamException: </span><b><i><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;">DOCTYPE \
is not allowed</span></i></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"></span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] \
isFaultRedirected: FaultTo is null. Returning isReplyRedirected</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
[MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] \
isReplyRedirected: ReplyTo is null. Returning false</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:# \
1F497D;">[#|2014-11-26T12:59:39.049-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thread-2;|[DEBUG] \
getAction (null) from org.apache.axis2.client.Options@2c82fe4f</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">|#]</span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p><div><div \
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;"><p \
class="ecxMsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";"> \
Martin Gainty [mailto:mgainty@hotmail.com] <br><b>Sent:</b> Wednesday, November 26, \
2014 12:09 PM<br><b>To:</b> java-user@axis.apache.org; Scott \
Selvia<br><b>Subject:</b> RE: How to Solve Axis2 Information Leakage from OWASP \
Testing</span></p></div></div><p class="ecxMsoNormal"> </p><div><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";">1)DTDs not been \
supported by axis for at least 10 years and any/all attempts to implement DTDs \
will<br>fubar your axis default installation<br>you *can* install your own \
incoming/outgoing message receivers in the messageReceivers in axis2.xml<br> \
<messageReceivers><br> \
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only"<br> \
\
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/><br> \
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"<br> & \
nbsp; \
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/><br> \
<messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-only"<br> \
\
class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/><br> \
<messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-out"<br> & \
nbsp; \
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/><br> \
</messageReceivers><br>if for any reason you want to accomodate a different \
content-type then add that messageFormatter here in axis2.xml<br> \
<messageFormatters><br> \
<messageFormatter \
contentType="application/x-www-form-urlencoded"<br>   \
; \
class="org.apache.axis2.transport.http.XFormURLEncodedFormatter"/><br> \
<messageFormatter \
contentType="multipart/form-data"<br> & \
nbsp; \
class="org.apache.axis2.transport.http.MultipartFormDataFormatter"/><br> \
<messageFormatter \
contentType="application/xml"<br>   \
; \
class="org.apache.axis2.transport.http.ApplicationXMLFormatter"/><br> \
<messageFormatter \
contentType="text/xml"<br> \
\
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/><br> \
<messageFormatter \
contentType="application/soap+xml"<br> \
\
class="org.apache.axis2.transport.http.SOAPMessageFormatter"/><br> \
</messageFormatters><br>2)if your concern is MIM attack by someone sharking the \
line<br>look into encrypting/decrypting your messages with Rampart Security module (i \
like bouncycastle security \
provider)<br>http://axis.apache.org/axis2/java/rampart/download/1.6.2/download.cgi<br><br>OWASP \
Testing guideline might prove useful:<br><a \
href="https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnaissance_for_information_leakage_%28OTG-INFO-001%29" \
target="_blank">https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)</a><br><br>Personal \
Note; when working at the bank use of search engines was banned..now i know \
why<br><br>Happy Thanksgiving \
All<br>Martin<br>______________________________________________ \
</span></p><pre> &nbs \
p; \
&n \
bsp; &nbs \
p; \
&n \
bsp; </pre><p \
class="ecxMsoNormal" style=""><span \
style="font-family:"Calibri","sans-serif";"><br><br></span></p><div><div \
class="ecxMsoNormal" align="center" style="text-align:center;"><span \
style="font-family:"Calibri","sans-serif";"><hr size="2" \
width="100%" align="center" id="ecxstopSpelling"></span></div><p class="ecxMsoNormal" \
style=""><span style="font-family:"Calibri","sans-serif";">Subject: \
RE: How to Solve Axis2 Information Leakage from OWASP Testing<br>Date: Wed, 26 Nov \
2014 10:40:40 -0500<br>From: sselvia@datamentors.com<br>To: \
java-user@axis.apache.org</span></p><div><p class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;">Brando,</span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;"> </span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;">It is \
our service so we have access to the service code, what I’m not getting is catching \
the exception. Can you point me to some examples?</span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;"> </span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;">Thanks,</span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;"> </span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;">Scott</span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;"> </span><span \
style="font-family:"Calibri","sans-serif";"></span></p><div><div \
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;"><p \
class="ecxMsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";"> \
Arguello, Brando [mailto:Brando.Arguello@gdc4s.com] <br><b>Sent:</b> Wednesday, \
November 26, 2014 10:31 AM<br><b>To:</b> java-user@axis.apache.org<br><b>Subject:</b> \
RE: How to Solve Axis2 Information Leakage from OWASP Testing</span><span \
style="font-family:"Calibri","sans-serif";"></span></p></div></div><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";"> </span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;">Scott,</span><span \
style="font-family:"Calibri","sans-serif";"></span></p><p \
class="ecxMsoNormal"><span \
style="font-family:"Calibri","sans-serif";color:#1F497D;"> </span><span \
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic