OWASP WS Amplification DoS Project
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow.
WS-Addressing default behaviour
In order to get a grasp of the magnitude of this threat, it is necessary to be aware of the default configurations in the existing web service frameworks. So far, Axis2 and JAX-WS (Metro) have been confirmed to enable it without the user specifying the need for it. Potentially creating a lot of web services that are unnecessarily prone to abuse.
Axis2 enables WS-Addressing by default, as stated here
CXF supports WS-Addressing, but explicit configuration is required to enable it.
JAX-WS & Metro
Metro is based on the JAX-WS API. The documentation says "In Metro, if WS-Addressing is explicitly disabled then the RI does not follow the rules of engagement. However if WS-Addressing is either implicitly or explicitly enabled then Metro engages WS-Addressing based upon the presence of wsa:Action header. "
.NET/WCF supports WS-Addressing, but the default behaviour on a RepyTo field is unclear. More information is welcome!
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?