CODEWITHSUNDEEP
securitywcfsoapdeserializationfault
user2361697
user2361697

Reputation: 1

Vulnerability - Application should not disclose the default error message

SOAP request gives a default error message if the deserialization of data member fails. This has been found in Security issues and attackers can see the sensitive information. Can you please tell me How to change this default error message with a custom error?

Here is an example,

Request:

POST https://abc/xyz.svc HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close SOAPAction: http://abc/action Content-Type: text/xml;charset=UTF-8 Host: 127.0.0.1 Content-Length: 933

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:abc="http://action" 
xmlns:abc1="http://schemas.datacontract.org/2004/07/action.ServiceLibrary">

<soapenv:Header/>

<soapenv:Body>

<abc:Recon>

<abc:employeeID>1231456</abc: employeeID >

<abc:token>agthjknghrdfgbnhgevq</abc:token>

<abc:request>

<abc1:CurrencyCode><![CDATA[ <<!ENTITY % file SYSTEM "file:///etc/fstab">

<abc:Issuer></abc:Issuer>

<abc:Reference>per auras</abc:Reference>

</abc:request>

</abc:Recon>

</soapenv:Body> 

</soapenv:Envelope>

Response:

HTTP/1.1 500 Internal Server Error Date: Tue, 23 May 2023 09:55:54 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 703 Connection: close Access-Control-Expose-Headers: Request-Context Request-Context: appId=cid-v1:f2c7dfc0-df3b-4c74-a4d9-5fc744b61509 X-Content-Type-Options: nosniff X-Robots-Tag: noindex X-XSS-Protection: 1; mode=block <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://schemas.microsoft.com/net/2005/12/windowscommunicationfoundation/dispatcher">a:Deser ializationFailed</faultcode><faultstring xml:lang="en-US">The formatter threw an exception while trying to deserialize the message: There was an error while trying to deserialize parameter http://abc:request. The InnerException message was 'There was an error deserializing the object of type abc.ServiceLibrary.Request. The token '[CDATA[' was expected but found 'ENTITY '. Line 14, position 3.'. Please see InnerException for more your text details.</faultstring></s:Fault></s:Body></s:Envelope>

Please let me know how can I change the full fault string here with some custom message?

Upvotes: 0

Views: 96

Answers (2)

user22167872
user22167872

Reputation: 1

You may use FaultContract or custom error messages. Then it might solve the problem.

Upvotes: -1

Jiayao
Jiayao

Reputation: 568

You may use IErrorHandler to accomplish it. It allows unhandled and undefined errors to be uniformly customized. Refer the following cases to handle exceptions.

  1. Throwing FaultException using Custom Exception Handler EL WCF

  2. How set a WCF custom deserialization error message

Upvotes: 0

Related Questions