[jira] [Created] (AXIS-2868) Invalid Input passed in by the user for an input argument is reflected in the output when Axis throws the exception to the caller

Wed, 18 Jan 2012 10:19:04 -0800 

Invalid Input passed in by the user for an input argument is reflected in the 
output when Axis throws the exception to the caller
---------------------------------------------------------------------------------------------------------------------------------

                 Key: AXIS-2868
                 URL: https://issues.apache.org/jira/browse/AXIS-2868
             Project: Axis
          Issue Type: Bug
          Components: Distribution
    Affects Versions: 1.4
         Environment: Any OS
            Reporter: Vijeya Aravindan


This issue was reported by our security team post audit and hence creating this 
tik:

1) Our Soap service is layered on Axis and the stub and skeletons are auto 
generated by feeding the WSDL and XSD to Axis wsdl2java.
2) The Axis layer validates the type of the input parameter coming in as part 
of the request against the types defined in the XSD.
3) In this case, for a parameter defined as long in the xsd, the Security team 
passed in a String parameter. Axis threw a Java Number Format Exception as 
expected and the String parameter passed as the invalid input got reflected in 
the output response as part of this exception
4) The response in this case is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>For input string: 
"a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"</faultstring>
         <detail>
         java.lang.NumberFormatException: For input string: "invalid string: 
"a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"

The concern from our Security Team is that "This may lead to XSS attack if the 
consumer of the service does not perform output encoding". 

5) Since this validation is done by Axis Skeleton layer even before the call 
back comes to the user defined registered implementation, upon recommendation 
from our Security team, we request Axis team to sanitize this output to prevent 
the actual invalid string from appearing in the output response.

Thanks,
Vijey

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to