[ https://issues.apache.org/jira/browse/WSS-465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-465. ------------------------------------- Resolution: Fixed > Possible information leak: incremental IDs > ------------------------------------------ > > Key: WSS-465 > URL: https://issues.apache.org/jira/browse/WSS-465 > Project: WSS4J > Issue Type: Improvement > Components: WSS4J Core > Affects Versions: 1.6.9 > Environment: CXF 2.7.3, XMLsec 1.5.3 > Reporter: Marco Stettler > Assignee: Colm O hEigeartaigh > Fix For: 1.6.12 > > > We had a security audit, and one of the points listed is as follow: > The "Signature ID" and "Reference URI ID" are incremental. From this fact it > can be deduced whether and how much the service will be used. The number > varies only minimally, the service is hardly used the observed time. However, > the number rises noticeably within a short time, so the service is already > under load. At such a time a DoS attack, for example, would achieve > particularly infuriating effect. > Couldnt this IDs be randomized? Or incremental by request (not "static" in > the VM)? > What i saw in the code is, that theres already a interface "WsuIdAllocator", > with a anonymous implementation in the class "WSSConfig". But theres no > proper way to override this implementation as the extension point is missing > (or i'm missing it :). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org