Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4
-
None
-
None
-
Any OS
Description
This issue was reported by our security team post audit and hence creating this tik:
1) Our Soap service is layered on Axis and the stub and skeletons are auto generated by feeding the WSDL and XSD to Axis wsdl2java.
2) The Axis layer validates the type of the input parameter coming in as part of the request against the types defined in the XSD.
3) In this case, for a parameter defined as long in the xsd, the Security team passed in a String parameter. Axis threw a Java Number Format Exception as expected and the String parameter passed as the invalid input got reflected in the output response as part of this exception
4) The response in this case is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>For input string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"</faultstring>
<detail>
java.lang.NumberFormatException: For input string: "invalid string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"
The concern from our Security Team is that "This may lead to XSS attack if the consumer of the service does not perform output encoding".
5) Since this validation is done by Axis Skeleton layer even before the call back comes to the user defined registered implementation, upon recommendation from our Security team, we request Axis team to sanitize this output to prevent the actual invalid string from appearing in the output response.
Thanks,
Vijey