This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WS Amplification DoS Project"
| Line 1: | Line 1: | ||
=Main= | =Main= | ||
| − | + | Currently, DNS servers are widely misused to amplify DoS traffic. This is called a [http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack DNS Amplification or Reflective attack]. | |
| + | It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this [http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf paper] | ||
| + | The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. | ||
| + | If necessary, a publication involving awareness and countermeasures will follow. | ||
==WS-Addressing default behaviour== | ==WS-Addressing default behaviour== | ||
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse. | In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse. | ||
Revision as of 14:33, 2 June 2013
Main
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow.
WS-Addressing default behaviour
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
Axis2
Axis2 enables WS-Addressing by default, as stated here
CXF
CXF supports WS-Addressing, but explicit configuration is required to enable it.
JAX-WS & Metro
Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
.NET Framework
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
Project About
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||
