Can I see what the WSDL looks like that you're using? Colm.
On Thu, Mar 19, 2020 at 3:31 PM Tomasz Zorawik <tzora...@gmail.com> wrote: > Hi, > > I'm concerned about SOAPAction Spoofing > (https://www.ws-attacks.org/SOAPAction_Spoofing) in CXF 3.2.9. > My webservice has two operations: Operation1 and Operation2. I noticed that > when SOAP request is sent with body > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > " > xmlns:exam="…"> > <soapenv:Header/> > <soapenv:Body> > <exam:Operation1/> > </soapenv:Body> > </soapenv:Envelope> > And SOAPAction HTTP header = …/Operation2 > > Operation2 is invoked by CXF. > I wonder if this behavior is expected and secure? > > It seems that CXF validates SOAPAction header against WSDL (when the > request > has SOAPAction header with an operation which does not exist in wsdl the > result is Fault – ‘The given SOAPAction a does not match an operation.’). > However it does not compare it with the operation inside of the request > body. > > If SOAPAction header is empty the operation inside of the request body is > taken into account when selecting the operation to invoke. > > I found a similar issue which had been resolved before in an older version > of the library http://cxf.apache.org/cve-2012-3451.html > “In some cases, CXF uses the received SOAP Action to select the correct > operation to invoke, and does not check to see that the message body is > correct. This can be exploitable to execute a SOAP Action spoofing attack, > where an adversary can execute another operation in the web service by > sending > the corresponding SOAP Action.” > > Regards, > Tomasz > > > > > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html >
