ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco Stettler (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-465) Possible information leak: incremental IDs
Date Wed, 17 Jul 2013 08:50:52 GMT
Marco Stettler created WSS-465:
----------------------------------

             Summary: Possible information leak: incremental IDs
                 Key: WSS-465
                 URL: https://issues.apache.org/jira/browse/WSS-465
             Project: WSS4J
          Issue Type: Improvement
          Components: WSS4J Core
    Affects Versions: 1.6.9
         Environment: CXF 2.7.3, XMLsec 1.5.3
            Reporter: Marco Stettler
            Assignee: Colm O hEigeartaigh


We had a security audit, and one of the points listed is as follow:

The "Signature ID" and "Reference URI ID" are incremental. From this fact it can be deduced
whether and how much the service will be used. The number varies only minimally, the service
is hardly used the observed time. However, the number rises noticeably within a short time,
so the service is already under load. At such a time a DoS attack, for example, would achieve
particularly infuriating effect.

Couldnt this IDs be randomized? Or incremental by request (not "static" in the VM)?

What i saw in the code is, that theres already a interface "WsuIdAllocator", with a anonymous
implementation in the class "WSSConfig". But theres no proper way to override this implementation
as the extension point is missing (or i'm missing it :).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message