Database Reference
In-Depth Information
sion/
). Anyway, these attacks will be undertaken after studying the message struc-
ture and the response.
• It's also not as rare as you might think (yes, it sounds unbelievable) that the XML
digital signature cannot be strictly enforced by a contract's WS-Policy. This could
happen during the transition period, when some migrating consumers are not
ready to be fully compliant with the declared policy. So, all the XML
ds:nodes
containing the following code can be easily stripped by the attacker and a mes-
sage will still be accepted:
<SignatureValue>
WkZUJAJ/
0QNqzQvwne2vvy8U5Pck8ZZ5UTa6pIwR7GE+OoGi6A1kyw==
</SignatureValue>
The important thing is that whatever hacking technique is employed by the attacker, the
initial step is always the same: gather as much information from your service response
message as possible. Your Error Handler is the major supplier of this information.
Regarding the following vulnerability list, feel free to use your own labels (alphanumeric-
al codes) for all kinds of vulnerabilities. As you go further, you will need them as flags to
mark potential weaknesses on the technical infrastructure map.
Information leakage
The vulnerability code for information leakage is
EH01
. Take a look at the common
catch
block:
catch (Exception ex){
ex.printStackTrace();
System.out.println(ex);
}
What is good for the logfile in a Dev or JIT environment is a disaster in production and
definitely should be avoided in a SOAP error response.
Missing error handling
The vulnerability code for missing error handling is
EH02
.
Standard HTTP response codes 4XX (Unauthorized, Bad Request, Forbidden, Not Found,
Method Not Allowed, and so on) are quite often employed in REST-based APIs. Firstly,
Search WWH ::
Custom Search