You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Marco Stettler (JIRA)" <ji...@apache.org> on 2013/07/17 10:50:52 UTC
[jira] [Created] (WSS-465) Possible information leak: incremental
IDs
Marco Stettler created WSS-465:
----------------------------------
Summary: Possible information leak: incremental IDs
Key: WSS-465
URL: https://issues.apache.org/jira/browse/WSS-465
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.6.9
Environment: CXF 2.7.3, XMLsec 1.5.3
Reporter: Marco Stettler
Assignee: Colm O hEigeartaigh
We had a security audit, and one of the points listed is as follow:
The "Signature ID" and "Reference URI ID" are incremental. From this fact it can be deduced whether and how much the service will be used. The number varies only minimally, the service is hardly used the observed time. However, the number rises noticeably within a short time, so the service is already under load. At such a time a DoS attack, for example, would achieve particularly infuriating effect.
Couldnt this IDs be randomized? Or incremental by request (not "static" in the VM)?
What i saw in the code is, that theres already a interface "WsuIdAllocator", with a anonymous implementation in the class "WSSConfig". But theres no proper way to override this implementation as the extension point is missing (or i'm missing it :).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org