SOAPAction spoofing vulnerability in 3.2.9

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SOAPAction spoofing vulnerability in 3.2.9

Tomasz Zorawik
Hi,

I'm concerned about SOAPAction Spoofing
(https://www.ws-attacks.org/SOAPAction_Spoofing) in CXF 3.2.9.
My webservice has two operations: Operation1 and Operation2. I noticed that
when SOAP request is sent with body
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:exam="…">
   <soapenv:Header/>
   <soapenv:Body>
      <exam:Operation1/>
   </soapenv:Body>
</soapenv:Envelope>
And SOAPAction HTTP header = …/Operation2

Operation2 is invoked by CXF.
I wonder if this behavior is expected and secure?

It seems that CXF validates SOAPAction header against WSDL (when the request
has SOAPAction header with an operation which does not exist in wsdl the
result is Fault – ‘The given SOAPAction a does not match an operation.’).
However it does not compare it with the operation inside of the request
body.

If SOAPAction header is empty the operation inside of the request body is
taken into account when selecting the operation to invoke.

I found a similar issue which had been resolved before in an older version
of the library http://cxf.apache.org/cve-2012-3451.html
“In some cases, CXF uses the received SOAP Action to select the correct
operation to invoke, and does not check to see that the message body is
correct. This can be exploitable to execute a SOAP Action spoofing attack,
where an adversary can execute another operation in the web service by
sending
the corresponding SOAP Action.”

Regards,
Tomasz




--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: SOAPAction spoofing vulnerability in 3.2.9

coheigea
Administrator
Can I see what the WSDL looks like that you're using?

Colm.

On Thu, Mar 19, 2020 at 3:31 PM Tomasz Zorawik <[hidden email]> wrote:

> Hi,
>
> I'm concerned about SOAPAction Spoofing
> (https://www.ws-attacks.org/SOAPAction_Spoofing) in CXF 3.2.9.
> My webservice has two operations: Operation1 and Operation2. I noticed that
> when SOAP request is sent with body
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:exam="…">
>    <soapenv:Header/>
>    <soapenv:Body>
>       <exam:Operation1/>
>    </soapenv:Body>
> </soapenv:Envelope>
> And SOAPAction HTTP header = …/Operation2
>
> Operation2 is invoked by CXF.
> I wonder if this behavior is expected and secure?
>
> It seems that CXF validates SOAPAction header against WSDL (when the
> request
> has SOAPAction header with an operation which does not exist in wsdl the
> result is Fault – ‘The given SOAPAction a does not match an operation.’).
> However it does not compare it with the operation inside of the request
> body.
>
> If SOAPAction header is empty the operation inside of the request body is
> taken into account when selecting the operation to invoke.
>
> I found a similar issue which had been resolved before in an older version
> of the library http://cxf.apache.org/cve-2012-3451.html
> “In some cases, CXF uses the received SOAP Action to select the correct
> operation to invoke, and does not check to see that the message body is
> correct. This can be exploitable to execute a SOAP Action spoofing attack,
> where an adversary can execute another operation in the web service by
> sending
> the corresponding SOAP Action.”
>
> Regards,
> Tomasz
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>
Reply | Threaded
Open this post in threaded view
|

Re: SOAPAction spoofing vulnerability in 3.2.9

Tomasz Zorawik
Here is my WSDL (simplified):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://example.com/Example/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="Example"
targetNamespace="http://example.com/Example/">
    <wsdl:message name="Operation1Request" />
    <wsdl:message name="Operation1Response" />

    <wsdl:message name="Operation2Request" />
    <wsdl:message name="Operation2Response" />

    <wsdl:portType name="ExamplePortType">
        <wsdl:operation name="Operation1">
            <wsdl:input message="tns:Operation1Request"/>
            <wsdl:output message="tns:Operation1Response"/>
        </wsdl:operation>
        <wsdl:operation name="Operation2">
            <wsdl:input message="tns:Operation2Request"/>
            <wsdl:output message="tns:Operation2Response"/>
        </wsdl:operation>
    </wsdl:portType>

    <wsdl:binding name="ExampleBinding" type="tns:ExamplePortType">
        <soap:binding style="rpc"
transport="http://schemas.xmlsoap.org/soap/http" />
        <wsdl:operation name="Operation1">
            <soap:operation
soapAction="http://example.com/Example/Operation1" />
            <wsdl:input>
                <soap:body use="literal"
namespace="http://example.com/Example/" />
            </wsdl:input>
            <wsdl:output>
                <soap:body use="literal"
namespace="http://example.com/Example/" />
            </wsdl:output>
        </wsdl:operation>
        <wsdl:operation name="Operation2">
            <soap:operation
soapAction="http://example.com/Example/Operation2" />
            <wsdl:input>
                <soap:body use="literal"
namespace="http://example.com/Example/" />
            </wsdl:input>
            <wsdl:output>
                <soap:body use="literal"
namespace="http://example.com/Example/" />
            </wsdl:output>
        </wsdl:operation>
    </wsdl:binding>

    <wsdl:service name="ExampleService">
        <wsdl:port binding="tns:ExampleBinding" name="ExamplePort">
            <soap:address location="http://www.example.org/"/>
        </wsdl:port>
    </wsdl:service>
</wsdl:definitions>

I just now noticed that issue http://cxf.apache.org/cve-2012-3451.html
concerned Document Literal web services (where if I understand correctly
operation name in the SOAP message is lost) and my WSDL is RPC literal style
(and operation name appears in the SOAP message).

Tomasz



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: SOAPAction spoofing vulnerability in 3.2.9

coheigea
Administrator
Thanks for the additional information. There is indeed an issue with the
RPC case, which has now been fixed for the next releases (which are
imminent).

Colm.

On Fri, Mar 20, 2020 at 12:49 PM Tomasz Zorawik <[hidden email]> wrote:

> Here is my WSDL (simplified):
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:tns="http://example.com/Example/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="Example"
> targetNamespace="http://example.com/Example/">
>     <wsdl:message name="Operation1Request" />
>     <wsdl:message name="Operation1Response" />
>
>     <wsdl:message name="Operation2Request" />
>     <wsdl:message name="Operation2Response" />
>
>     <wsdl:portType name="ExamplePortType">
>         <wsdl:operation name="Operation1">
>             <wsdl:input message="tns:Operation1Request"/>
>             <wsdl:output message="tns:Operation1Response"/>
>         </wsdl:operation>
>         <wsdl:operation name="Operation2">
>             <wsdl:input message="tns:Operation2Request"/>
>             <wsdl:output message="tns:Operation2Response"/>
>         </wsdl:operation>
>     </wsdl:portType>
>
>     <wsdl:binding name="ExampleBinding" type="tns:ExamplePortType">
>         <soap:binding style="rpc"
> transport="http://schemas.xmlsoap.org/soap/http" />
>         <wsdl:operation name="Operation1">
>             <soap:operation
> soapAction="http://example.com/Example/Operation1" />
>             <wsdl:input>
>                 <soap:body use="literal"
> namespace="http://example.com/Example/" />
>             </wsdl:input>
>             <wsdl:output>
>                 <soap:body use="literal"
> namespace="http://example.com/Example/" />
>             </wsdl:output>
>         </wsdl:operation>
>         <wsdl:operation name="Operation2">
>             <soap:operation
> soapAction="http://example.com/Example/Operation2" />
>             <wsdl:input>
>                 <soap:body use="literal"
> namespace="http://example.com/Example/" />
>             </wsdl:input>
>             <wsdl:output>
>                 <soap:body use="literal"
> namespace="http://example.com/Example/" />
>             </wsdl:output>
>         </wsdl:operation>
>     </wsdl:binding>
>
>     <wsdl:service name="ExampleService">
>         <wsdl:port binding="tns:ExampleBinding" name="ExamplePort">
>             <soap:address location="http://www.example.org/"/>
>         </wsdl:port>
>     </wsdl:service>
> </wsdl:definitions>
>
> I just now noticed that issue http://cxf.apache.org/cve-2012-3451.html
> concerned Document Literal web services (where if I understand correctly
> operation name in the SOAP message is lost) and my WSDL is RPC literal
> style
> (and operation name appears in the SOAP message).
>
> Tomasz
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>
Reply | Threaded
Open this post in threaded view
|

Re: SOAPAction spoofing vulnerability in 3.2.9

Tomasz Zorawik