Difference between revisions of "OWASP WS Amplification DoS Project"

From OWASP
Jump to: navigation, search
(Created page with "=Main= Project Leader’s content goes here =Project About= {{:Projects/OWASP_WS_Amplification_DoS_Project}} Category:OWASP Project")
 
Line 1: Line 1:
 
=Main=
 
=Main=
 
Project Leader’s content goes here
 
Project Leader’s content goes here
 
+
==WS-Addressing default behaviour==
 +
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
 +
===Axis2===
 +
Axis2 enables WS-Addressing by default, as stated [http://axis.apache.org/axis2/java/core/modules/addressing/ here]
 +
===CXF===
 +
CXF supports WS-Addressing, but [http://cxf.apache.org/docs/ws-addressing.html explicit configuration] is required to enable it.
 +
===JAX-WS & Metro===
 +
Metro is based on the JAX-WS API. The [https://metro.java.net/1.4/docs/wsaddressing.html documentation] says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
 +
===.NET Framework===
 +
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
 
=Project About=
 
=Project About=
 
{{:Projects/OWASP_WS_Amplification_DoS_Project}}  
 
{{:Projects/OWASP_WS_Amplification_DoS_Project}}  
  
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Revision as of 09:30, 2 June 2013

Contents

Main

Project Leader’s content goes here

WS-Addressing default behaviour

In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.

Axis2

Axis2 enables WS-Addressing by default, as stated here

CXF

CXF supports WS-Addressing, but explicit configuration is required to enable it.

JAX-WS & Metro

Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "

.NET Framework

.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP WS Amplification DoS Project (home page)
Purpose: The project aims to explore the threat of an Amplification DoS attack that utilises webservices.

Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow.

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases