Reputation: 153
SOAP Security advice required
Ahead of a full 3rd Party penetration test, one of our clients has performed a preliminary security audit against our system.
This has revealed a handful of potential exploits that we are happy to deal with, but there is one item in the report that I'm not sure I agree with but I've been unable to convince them.
They have reported that they have been able to send a message which has been tampered with to one of our soap-based web services and that it has reported an error. This, they suggest, implies that the server has attempted to process the message.
So the request looks something like this :-
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://example.com/soap/envelope/]]>><" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:SomeMethod xmlns:tns="http://example.com/"/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Note the encoded ]]>>< inserted into the xmlns:SOAP-ENV attribute.
The response from the server is :-
<soap:Body>
<soap:Fault>
<faultcode>soap:VersionMismatch</faultcode>
<faultstring>Possible SOAP version mismatch: Envelope namespace http://example.com/soap/envelope/]]>>< was unexpected. Expecting http://example.com/soap/envelope/.</faultstring>
<detail />
</soap:Fault>
</soap:Body>
Their argument is that this shows that the payload has been inserted into an XML document and so has been processed (presumably exposing us to things like XXE exploits) and the fact that the error is a SOAP error rather than a generic 500 error proves this.
I'm not convinced that this is the case but I'm struggling to convince the client of this. According to this (https://msdn.microsoft.com/en-us/library/aa480498.aspx) article the XmlSerializer is responsible for serialising and deserialising the SOAP Xml to parmeters and so this is rejecting the bad SOAP envelope.
Can anyone confirm whether we have a security issue? And if it is how we should fix it?
Upvotes: 0
Views: 101
Answers (1)
Reputation: 1698
Can anyone confirm whether we have a security issue? And if it is how we should fix it?
There is no security issue.
Different SOAP processors will produce different error messages for this example, though the SOAP protocol recommends the "SOAP version mismatch" fault. In my experience of 10+ years working with XML, SOAP, and other web services protocols, it is perfectly legitimate what his SOAP processor does. It simply rejects the SOAP-ENV:Envelope qualified tag based on the XML namespace mismatch, because the xmlns binding URI simply differs from the expected URI:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://example.com/soap/envelope/]]>><"
In fact, this XML is perfectly legit. And it should be rejected by the SOAP processor with a SOAP version mismatch fault.
Upvotes: 1
Related Questions
- Consuming Webservice : Client application : C#
- SOAP Basic Authorization using C#
- Web service security in SOAP
- How to secure datatransfer via soap in the request?
- Secure Webservice best practices
- SOAP security on http operation
- Security of SOAP based web service in Java, Netbeans, Tomcat
- ASP.NET Web Service Security
- What methods can be used to secure web services?
- How do I tighten security of my hybrid ASP.NET 1.1 / Ajax solution?