Difference between revisions of "Talk:OWASP WS Amplification DoS Project"
From OWASP
(→Confirmed on Axis2: new section) |
m (Added version specific commentary) |
||
| Line 4: | Line 4: | ||
I'll see if I can do some further work later this week. [[User:Rick.mitchell|Rick.mitchell]] ([[User talk:Rick.mitchell|talk]]) 03:59, 3 December 2013 (CST) | I'll see if I can do some further work later this week. [[User:Rick.mitchell|Rick.mitchell]] ([[User talk:Rick.mitchell|talk]]) 03:59, 3 December 2013 (CST) | ||
| + | |||
| + | : To be specific this was against Axis2 1.5.4. Though I doubt it makes much of a difference given what appears in the change logs for the latest versions (no updates lately, newest seems to be 1.5.6 which was released in Aug 2011) [[User:Rick.mitchell|Rick.mitchell]] ([[User talk:Rick.mitchell|talk]]) 02:53, 4 December 2013 (CST) | ||
Latest revision as of 08:53, 4 December 2013
Confirmed on Axis2
I've just done a Web Services VA of some components hosted via Axis2 and can confirm that I can use WS Amplification to DoS a third party by altering the wsa:Address within wsa:ReplyTo. Sadly I had limited options while testing so my box initiating the requests also had to be receiving them, but I can differentiate inbound vs outbound traffic and definitely see an inbound spike which without too much more effort could easily result in a DoS.
I'll see if I can do some further work later this week. Rick.mitchell (talk) 03:59, 3 December 2013 (CST)
- To be specific this was against Axis2 1.5.4. Though I doubt it makes much of a difference given what appears in the change logs for the latest versions (no updates lately, newest seems to be 1.5.6 which was released in Aug 2011) Rick.mitchell (talk) 02:53, 4 December 2013 (CST)
