W3C home > Mailing lists > Public > public-ws-addressing-comments@w3.org > April 2005

More Security Considerations (SOAP, substantive)

From: Jonathan Marsh <jmarsh@microsoft.com>
Date: Tue, 12 Apr 2005 14:25:57 -0700
Message-ID: <7DA77BF2392448449D094BCEF67569A507280F9D@RED-MSG-30.redmond.corp.microsoft.com>
To: <public-ws-addressing-comments@w3.org>

Although it might cost nearly as much to send a bloated EPR as it would
to process it, it might be worthwhile to point out the possibility of
DOS attacks in this case.

  'Reference Parameters and other WS-Addressing headers can potentially
  be quite large. Implementations should take care not to expose
  themselves to a denial of service attack based on constructing or
  consuming messages based on EPRs with large reference parameters.'

It might be possible to manipulate a service into using up all it's
sockets.  We should point out that implementations should guard against
this attack.

  'When [reply endpoint] and/or [fault endpoint] do not contain the
  anonymous URI, the processor of such an EPR should take care to avoid
  a denial of service attack caused by opening an excessive number
  network connections, which are typically a scarce resource.'

If an implementation is completely non-discriminatory about where it
sends faults it may be possible to manipulate that endpoint into
participation in a DoS attack.

  'Care should be taken to avoid participating in a denial of service
  attack in which an attacker sends malformed messages to many receivers
  and includes a [fault endpoint] for the target of the attack.'
Received on Tuesday, 12 April 2005 21:26:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:19:38 GMT