We are running security tests on our Axis2 1.6.2 web services. It has been pointed out that we have an OWASP information leakage and I'm trying to figure out how to solve this. We intercept the SOAP request and <?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [ to the request. The response generated is being flagged as an information leakage: <soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLSt reamException: DOCTYPE is not allowed</faultstring>
I'm trying to gather information to mitigate the finding: 1. Is the https://hostname/axis2/services/MyWebService?wsdl with the "axis2/services" in the URL a problem and/or 2. Being able to capture the XMLStreamException and respond with an appropriate non-descriptive message. How can we change the "axis2/services" endpoint? Since we don't even get the request in our code, how do we trap or override the request coming into the web service engine?
