[jira] [Updated] (WSS-465) Possible information leak: incremental IDs

["Colm O hEigeartaigh (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/WSS-465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated WSS-465:
------------------------------------

    Fix Version/s: 1.6.12
    
> Possible information leak: incremental IDs
> ------------------------------------------
>
>                 Key: WSS-465
>                 URL: https://issues.apache.org/jira/browse/WSS-465
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.6.9
>         Environment: CXF 2.7.3, XMLsec 1.5.3
>            Reporter: Marco Stettler
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.12
>
>
> We had a security audit, and one of the points listed is as follow:
> The "Signature ID" and "Reference URI ID" are incremental. From this fact it can be deduced whether and how much the service will be used. The number varies only minimally, the service is hardly used the observed time. However, the number rises noticeably within a short time, so the service is already under load. At such a time a DoS attack, for example, would achieve particularly infuriating effect.
> Couldnt this IDs be randomized? Or incremental by request (not "static" in the VM)?
> What i saw in the code is, that theres already a interface "WsuIdAllocator", with a anonymous implementation in the class "WSSConfig". But theres no proper way to override this implementation as the extension point is missing (or i'm missing it :).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org