This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP WS Amplification DoS Project
Main
Project Leader’s content goes here
WS-Addressing default behaviour
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
Axis2
Axis2 enables WS-Addressing by default, as stated here
CXF
CXF supports WS-Addressing, but explicit configuration is required to enable it.
JAX-WS & Metro
Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
.NET Framework
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
Project About
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|