OWASP WS Amplification DoS Project

=Main= Project Leader’s content goes here

WS-Addressing default behaviour
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.

Axis2
Axis2 enables WS-Addressing by default, as stated here

CXF
CXF supports WS-Addressing, but explicit configuration is required to enable it.

JAX-WS & Metro
Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "

.NET Framework
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome! =Project About=