[
https://issues.apache.org/jira/browse/WSS-465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-465.
-------------------------------------
Resolution: Fixed
> Possible information leak: incremental IDs
> ------------------------------------------
>
> Key: WSS-465
> URL: https://issues.apache.org/jira/browse/WSS-465
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.6.9
> Environment: CXF 2.7.3, XMLsec 1.5.3
> Reporter: Marco Stettler
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.12
>
>
> We had a security audit, and one of the points listed is as follow:
> The "Signature ID" and "Reference URI ID" are incremental. From this fact it
> can be deduced whether and how much the service will be used. The number
> varies only minimally, the service is hardly used the observed time. However,
> the number rises noticeably within a short time, so the service is already
> under load. At such a time a DoS attack, for example, would achieve
> particularly infuriating effect.
> Couldnt this IDs be randomized? Or incremental by request (not "static" in
> the VM)?
> What i saw in the code is, that theres already a interface "WsuIdAllocator",
> with a anonymous implementation in the class "WSSConfig". But theres no
> proper way to override this implementation as the extension point is missing
> (or i'm missing it :).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
