Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Routing Detour"

From OWASP
Jump to: navigation, search
m
m
 
Line 8: Line 8:
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
  
 +
None
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
* Use SSL/TLS for connections between all trusted locations for confidentiality and mutual authentication.
+
None
* Provide configuration-based whitelist for WS Routing destinations.
+
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
 +
Provide configuration-based whitelist for WS Routing destinations.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
  
 +
None
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
  
 +
None
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
This is actually a type of attack and not a vulnerability
+
None
  
 
=== References ===
 
=== References ===

Latest revision as of 17:08, 20 July 2013

Return to Periodic Table Working View

Contents

Routing Detour

Root Cause Summary

This is a man in the middle type of attack, where (XML) content processors can be injected to route sensitive information to an attacker-controlled outside location. The attacker can modify the contents of the package and send it back to the original processor, unaware of the modifications.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Provide configuration-based whitelist for WS Routing destinations.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

None

References

XML Routing Detour Attacks (MITRE)
Routing Detour (WASC)