Brando,
It is our service so we have access to the service code, what I'm not getting is catching the exception. Can you point me to some examples? Thanks, Scott From: Arguello, Brando [mailto:brando.argue...@gdc4s.com] Sent: Wednesday, November 26, 2014 10:31 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, If you have access to the service one option is.. On the service side, catch the exception, extract the information you need and return an object so it goes through the regular "OutFlow" phase instead of the "FaultFlow" If you don't have access to the service .. Can you add a handler on the "InFlow" phase of your client to intercept the response and filter out the leakage and then proceed to your client? Regards. -brando From: Scott Selvia [mailto:ssel...@datamentors.com] Sent: Wednesday, November 26, 2014 9:53 AM To: java-user@axis.apache.org Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are running security tests on our Axis2 1.6.2 web services. It has been pointed out that we have an OWASP information leakage and I'm trying to figure out how to solve this. We intercept the SOAP request and <?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [ to the request. The response generated is being flagged as an information leakage: <soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLSt reamException: DOCTYPE is not allowed</faultstring> I'm trying to gather information to mitigate the finding: 1. Is the https://hostname/axis2/services/MyWebService?wsdl with the "axis2/services" in the URL a problem and/or 2. Being able to capture the XMLStreamException and respond with an appropriate non-descriptive message. How can we change the "axis2/services" endpoint? Since we don't even get the request in our code, how do we trap or override the request coming into the web service engine?
