Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Routing Detour"

From OWASP
Jump to: navigation, search
(initial page setup)
 
m
Line 11: Line 11:
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
Use SSL/TLS for connections between all trusted locations, and verify each host.
+
* Use SSL/TLS for connections between all trusted locations for confidentiality and mutual authentication.
 +
* Provide configuration-based whitelist for WS Routing destinations.
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===

Revision as of 01:41, 7 June 2013

Return to Periodic Table Working View

Contents

Routing Detour

Root Cause Summary

This is a man in the middle type of attack, where (XML) content processors can be injected to route sensitive information to an attacker-controlled outside location. The attacker can modify the contents of the package and send it back to the original processor, unaware of the modifications.

Browser / Standards Solution

Perimeter Solution

  • Use SSL/TLS for connections between all trusted locations for confidentiality and mutual authentication.
  • Provide configuration-based whitelist for WS Routing destinations.

Generic Framework Solution

Custom Framework Solution

Custom Code Solution

Discussion / Controversy

This is actually a type of attack and not a vulnerability

References

XML Routing Detour Attacks (MITRE)
Routing Detour (WASC)