-
Notifications
You must be signed in to change notification settings - Fork 104
Test 10) Weak WS SecurityPolicy: Insufficient Supporting Token Protection
Yalçın YOLALAN edited this page Mar 28, 2018
·
2 revisions
Vulnerability Type Static
Test Web Service URI http://[yourhostName]/InsufficientSupportingTokenProtection.wsdl
Vulnerable Code Block The following WS-SecurityPolicy entry allows UsernameTokens to be sent in SOAP messages without a signature or encryption:
<sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SupportingTokens>
Indications of Vulnerability Static analysis reveals that the wsdl file does not contain any SupportingToken XML tag.
- Home
- Installation
- Usage
- Default Parameter Values
- Scope
- Donation
-
Testing Activities
- XML Bombs
- External Entity Attacks
- Insecure Communication
- Insufficient Authentication Test
- Cross Site Scripting
- SQL Injection
- XPATH Injection
- Verbose SOAP Fault Message
- Weak WS-SecurityPolicy: Insecure Transport
- Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
- Weak WS-SecurityPolicy: Tokens Not Protected
- Weak XML Schema: Undefined Namespace
- Weak XML Schema: Unbounded Occurrences