Marco Stettler created WSS-465:
----------------------------------
Summary: Possible information leak: incremental IDs
Key: WSS-465
URL: https://issues.apache.org/jira/browse/WSS-465
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.6.9
Environment: CXF 2.7.3, XMLsec 1.5.3
Reporter: Marco Stettler
Assignee: Colm O hEigeartaigh
We had a security audit, and one of the points listed is as follow:
The "Signature ID" and "Reference URI ID" are incremental. From this fact it
can be deduced whether and how much the service will be used. The number varies
only minimally, the service is hardly used the observed time. However, the
number rises noticeably within a short time, so the service is already under
load. At such a time a DoS attack, for example, would achieve particularly
infuriating effect.
Couldnt this IDs be randomized? Or incremental by request (not "static" in the
VM)?
What i saw in the code is, that theres already a interface "WsuIdAllocator",
with a anonymous implementation in the class "WSSConfig". But theres no proper
way to override this implementation as the extension point is missing (or i'm
missing it :).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
