Brando,
Just tried your solution I added an exception around the business logic of the method and I still get the same response. Any other suggestions? Regards, Scott <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [ <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"; xmlns:ser="http://service.web.datamentors.com";> <soap:Header/> <soap:Body> <ser:helloMethod> <!--Optional:--> <ser:aMessage>Hello from Client</ser:aMessage> </ser:helloMethod> </soap:Body> </soap:Envelope> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";> <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";> <wsa:Action>http://www.w3.org/2005/08/addressing/soap/fault</wsa:Action> </soapenv:Header> <soapenv:Body> <soapenv:Fault> <soapenv:Code> <soapenv:Value>soapenv:Receiver</soapenv:Value> </soapenv:Code> <soapenv:Reason> <soapenv:Text xml:lang="en-US">javax.xml.stream.XMLStreamException: DOCTYPE is not allowed</soapenv:Text> </soapenv:Reason> <soapenv:Detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> MyResponse helloMethod(String aMsg) { MyResponse response = null; System.out.println("In Method"); try { response = new MyResponse("Good SOAP Message"); } catch (Exception e) { e.printStackTrace(); response = new MyResponse("Bad SOAP Message"); } } From: Scott Selvia [mailto:ssel...@datamentors.com] Sent: Wednesday, November 26, 2014 10:59 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Brando, Thank You!!! I was going to deep on this, thinking I needed to override the message listeners. Regards, Scott From: Arguello, Brando [mailto:brando.argue...@gdc4s.com] Sent: Wednesday, November 26, 2014 10:55 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, What OWASP seems to be flagging is the "<soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLS treamException:" In your service.. theObjectYourMethodReturns yourMethod(.....) { try { .... The implementation .... } catch (The exception e) { Log exception.. return theObjectYourMethodReturns.setExceptionReason(e.getMessage); (catch exception and set reason in returned object) } return theObjectYourMethodReturns; (if no exception this returns with whatever your implementation requires) } From: Scott Selvia [mailto:ssel...@datamentors.com] Sent: Wednesday, November 26, 2014 10:41 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Brando, It is our service so we have access to the service code, what I'm not getting is catching the exception. Can you point me to some examples? Thanks, Scott From: Arguello, Brando [mailto:brando.argue...@gdc4s.com] Sent: Wednesday, November 26, 2014 10:31 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, If you have access to the service one option is.. On the service side, catch the exception, extract the information you need and return an object so it goes through the regular "OutFlow" phase instead of the "FaultFlow" If you don't have access to the service .. Can you add a handler on the "InFlow" phase of your client to intercept the response and filter out the leakage and then proceed to your client? Regards. -brando From: Scott Selvia [mailto:ssel...@datamentors.com] Sent: Wednesday, November 26, 2014 9:53 AM To: java-user@axis.apache.org Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are running security tests on our Axis2 1.6.2 web services. It has been pointed out that we have an OWASP information leakage and I'm trying to figure out how to solve this. We intercept the SOAP request and <?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [ to the request. The response generated is being flagged as an information leakage: <soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLSt reamException: DOCTYPE is not allowed</faultstring> I'm trying to gather information to mitigate the finding: 1. Is the https://hostname/axis2/services/MyWebService?wsdl with the "axis2/services" in the URL a problem and/or 2. Being able to capture the XMLStreamException and respond with an appropriate non-descriptive message. How can we change the "axis2/services" endpoint? Since we don't even get the request in our code, how do we trap or override the request coming into the web service engine?
