CXF offers no facility, persistent or non-persistent, for an external
user to alter that text of the services page. Therefore, you don't need
to worry about XSS. Your security society is failing to understand the
difference between malevolent *development team members* who already
have internal access to the system and hence don't need to bother with
XSS (i.e., those who can go into the server settings and alter
configuration files to create a popup), and *malevolent external users*,
the only group for which XSS is a concern.
The code base needs to gummed up with anti-XSS checks only when the
external user does have such an ability. Otherwise, you're adding
security risks by unnecessarily bloating up the code--especially when
the code is being bloated up by Bad Development Guy to begin with. It's
not good to code locks for windows that don't exist.
That said, CXF can probably do a better job in preventing invalid URL
names like popups, but that will not guard against Bad Development Guy,
because he's going to use a valid URL anyway if you give him the chance
to direct external users to his Bad System.
Glen
On 2/25/2011 4:08 AM, sami wrote:
Hi,
The main concern of that kind of non-persistant XSS attack is phishing.
A security society that audited our code highlighted that problem.
It is a minor security flaw, but it is still a security flaw.
If there is no easy workaround, I will try to disable the services page on my
webservices.
________________________________
De : "Rhenius, Karl Stefan [via CXF]"
<[email protected]>
À : sami<[email protected]>
Envoyé le : Ven 25 février 2011, 9h 59min 47s
Objet : RE: XSS flaw in Available SOAP services page
Hi Glenn,
there are persistent and non-persistent XSS attacks.
http://en.wikipedia.org/wiki/Cross-site_scripting describes an exploit
scenario for non-persisting XSS attacks.
Karl
But giving somebody a fraudulent link is not cross-site
scripting, and
browser certificate checks would catch that anyway.
Only the service provider has control over the contents of the
https://www.mybank.com/services/BankingService?wsdl page, Bad
Guy has no
opportunities to enter in data that could alter that page, so I don't
see where the XSS concern is.
________________________________
If you reply to this email, your message will be added to the discussion
below:http://cxf.547215.n5.nabble.com/XSS-flaw-in-Available-SOAP-services-page-tp3398847p3399776.html
To unsubscribe from XSS flaw in Available SOAP services page, click here.
--
Glen Mazza
Software Engineer, Talend (http://www.talend.com)
blog: http://www.jroller.com/gmazza
