Martin,
I've enabled DEBUG logging for Axis2, I can see the DOCTYPE is not allowed. So as you suggest, I need to create my own message listener to trap this AxisFault with the XMLStreamReader? Thanks, Scott [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] setAction New action is (urn:helloMethod) |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] createSOAPEnvelope using Builder (class org.apache.axis2.builder.SOAPBuilder) selected from type (application/soap+xml) |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] char set encoding set from default =UTF-8 |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] org.apache.axis2.AxisFault: javax.xml.stream.XMLStreamException: DOCTYPE is not allowed |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] [MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] isFaultRedirected: FaultTo is null. Returning isReplyRedirected |#] [#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] [MessageContext: logID=6812b93b1f449a0693d713277a06a0c1e690df9694ec910a] isReplyRedirected: ReplyTo is null. Returning false |#] [#|2014-11-26T12:59:39.049-0500|INFO|glassfish3.1.2|javax.enterprise.sys tem.std.com.sun.enterprise.server.logging|_ThreadID=108;_ThreadName=Thre ad-2;|[DEBUG] getAction (null) from org.apache.axis2.client.Options@2c82fe4f |#] From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Wednesday, November 26, 2014 12:09 PM To: java-user@axis.apache.org; Scott Selvia Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing 1)DTDs not been supported by axis for at least 10 years and any/all attempts to implement DTDs will fubar your axis default installation you *can* install your own incoming/outgoing message receivers in the messageReceivers in axis2.xml <messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only"; class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"; class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> <messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-only"; class="org.apache.axis2.receivers.RawXMLINOnlyMessageReceiver"/> <messageReceiver mep="http://www.w3.org/2006/01/wsdl/in-out"; class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> </messageReceivers> if for any reason you want to accomodate a different content-type then add that messageFormatter here in axis2.xml <messageFormatters> <messageFormatter contentType="application/x-www-form-urlencoded" class="org.apache.axis2.transport.http.XFormURLEncodedFormatter"/> <messageFormatter contentType="multipart/form-data" class="org.apache.axis2.transport.http.MultipartFormDataFormatter"/> <messageFormatter contentType="application/xml" class="org.apache.axis2.transport.http.ApplicationXMLFormatter"/> <messageFormatter contentType="text/xml" class="org.apache.axis2.transport.http.SOAPMessageFormatter"/> <messageFormatter contentType="application/soap+xml" class="org.apache.axis2.transport.http.SOAPMessageFormatter"/> </messageFormatters> 2)if your concern is MIM attack by someone sharking the line look into encrypting/decrypting your messages with Rampart Security module (i like bouncycastle security provider) http://axis.apache.org/axis2/java/rampart/download/1.6.2/download.cgi OWASP Testing guideline might prove useful: https://www.owasp.org/index.php/Conduct_search_engine_discovery/reconnai ssance_for_information_leakage_(OTG-INFO-001) Personal Note; when working at the bank use of search engines was banned..now i know why Happy Thanksgiving All Martin ______________________________________________ ________________________________ Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Date: Wed, 26 Nov 2014 10:40:40 -0500 From: ssel...@datamentors.com To: java-user@axis.apache.org Brando, It is our service so we have access to the service code, what I'm not getting is catching the exception. Can you point me to some examples? Thanks, Scott From: Arguello, Brando [mailto:brando.argue...@gdc4s.com] Sent: Wednesday, November 26, 2014 10:31 AM To: java-user@axis.apache.org Subject: RE: How to Solve Axis2 Information Leakage from OWASP Testing Scott, If you have access to the service one option is.. On the service side, catch the exception, extract the information you need and return an object so it goes through the regular "OutFlow" phase instead of the "FaultFlow" If you don't have access to the service .. Can you add a handler on the "InFlow" phase of your client to intercept the response and filter out the leakage and then proceed to your client? Regards. -brando From: Scott Selvia [mailto:ssel...@datamentors.com] Sent: Wednesday, November 26, 2014 9:53 AM To: java-user@axis.apache.org Subject: How to Solve Axis2 Information Leakage from OWASP Testing We are running security tests on our Axis2 1.6.2 web services. It has been pointed out that we have an OWASP information leakage and I'm trying to figure out how to solve this. We intercept the SOAP request and <?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [ to the request. The response generated is being flagged as an information leakage: <soapenv:Fault><faultcode></faultcode><faultstring>java.xml.stream.XMLSt reamException: DOCTYPE is not allowed</faultstring> I'm trying to gather information to mitigate the finding: 1. Is the https://hostname/axis2/services/MyWebService?wsdl with the "axis2/services" in the URL a problem and/or 2. Being able to capture the XMLStreamException and respond with an appropriate non-descriptive message. How can we change the "axis2/services" endpoint? Since we don't even get the request in our code, how do we trap or override the request coming into the web service engine?
