This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WS Amplification DoS Project"
(Created page with "=Main= Project Leader’s content goes here =Project About= {{:Projects/OWASP_WS_Amplification_DoS_Project}} Category:OWASP Project") |
|||
| Line 1: | Line 1: | ||
=Main= | =Main= | ||
Project Leader’s content goes here | Project Leader’s content goes here | ||
| − | + | ==WS-Addressing default behaviour== | |
| + | In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse. | ||
| + | ===Axis2=== | ||
| + | Axis2 enables WS-Addressing by default, as stated [http://axis.apache.org/axis2/java/core/modules/addressing/ here] | ||
| + | ===CXF=== | ||
| + | CXF supports WS-Addressing, but [http://cxf.apache.org/docs/ws-addressing.html explicit configuration] is required to enable it. | ||
| + | ===JAX-WS & Metro=== | ||
| + | Metro is based on the JAX-WS API. The [https://metro.java.net/1.4/docs/wsaddressing.html documentation] says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. " | ||
| + | ===.NET Framework=== | ||
| + | .NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome! | ||
=Project About= | =Project About= | ||
{{:Projects/OWASP_WS_Amplification_DoS_Project}} | {{:Projects/OWASP_WS_Amplification_DoS_Project}} | ||
[[Category:OWASP Project]] | [[Category:OWASP Project]] | ||
Revision as of 14:30, 2 June 2013
Main
Project Leader’s content goes here
WS-Addressing default behaviour
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
Axis2
Axis2 enables WS-Addressing by default, as stated here
CXF
CXF supports WS-Addressing, but explicit configuration is required to enable it.
JAX-WS & Metro
Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
.NET Framework
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
Project About
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||
