Description
We have 2 cases.
Scenario-1:
User enter incorrect service name in URL. Return response will be proper error message "No service", which allow user to guess the possible service names.
<faultstring>The service cannot be found for the endpoint reference (EPR) http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>
Scenario-2:
User invoke the Soap service without soap envelop (No header / body). Error message "No operation & Action is EMPTY"
Invoke the URL from browser without any header info - http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator
The endpoint reference (EPR) for the Operation not found is /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.
Both scenarios expose the detailed response to the attacker which could lead to security threat.