OWASP WS Amplification DoS Project

Jump to: navigation, search


Project Leader’s content goes here

WS-Addressing default behaviour

In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.


Axis2 enables WS-Addressing by default, as stated here


CXF supports WS-Addressing, but explicit configuration is required to enable it.

JAX-WS & Metro

Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "

.NET Framework

.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!

Project About

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP WS Amplification DoS Project (home page)
Purpose: The project aims to explore the threat of an Amplification DoS attack that utilises webservices.

Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow.

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases