OWASP Periodic Table of Vulnerabilities - Routing Detour
Root Cause Summary
This is a man in the middle type of attack, where (XML) content processors can be injected to route sensitive information to an attacker-controlled outside location. The attacker can modify the contents of the package and send it back to the original processor, unaware of the modifications.
Browser / Standards Solution
- Use SSL/TLS for connections between all trusted locations for confidentiality and mutual authentication.
- Provide configuration-based whitelist for WS Routing destinations.
Generic Framework Solution
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
This is actually a type of attack and not a vulnerability