Most users of the Vordel XML Gateway know that you can assign a SOAP Fault as a fault handler, and customize what goes back to the client in the SOAP Fault. Also, most users know that you can create a reusable sub-policy which is called by another policy (like a subroutine in a programming language, and, indeed, like a reusable Web Service). But did you know you can combine the two capabilities? You can create a reusable policy and assign it as the fault handler.
In the example below, I have dragged in a "Policy Shortcut" onto the canvas. I right-click on it and say "Set as Fault Handler". So, if the XML Gateway finds any problem with the XML message, or with the back-end Web Service, then it runs this sub-policy. The sub-policy I'm using ships as standard in the "Policy Library", and it simply returns a HTTP 403 "Forbidden" message to the client. This gives no information to the client about why exactly their message was blocked. As part of that sub-policy, you could also send a notification to an administrator, return back a cached response from the Web Service, strip out part of the message which is harmful, quarantine the message, or redirect the request to a back-up Web Service.
2 comments:
Apache Axis strips out the stack trace before sending a fault back over the wire, unless you explicitly set the "development.system" flag. By default: no stack trace. What it does do (and it is a feature which I must bear the blame for) is send the hostname of the failing system over. Because it is a lot easier to track down failures in a cluster if you can see which machine is failing. For better security we'd really need to have a remap table to assign false names to the hosts
Hi Steve,
Thanks for pointing that out. Back when the vulnerability assessment was done (in early 2006), the information was being sent back. That may have been before the time of "development.system", or (more likely) perhaps they had just unthinkingly left it on because the system under scrutiny was an internal system.
Having "no stack trace returned" as the default is great, because in those stack traces, we could see information like:
Org.hibernate.exception.GenericJDBCException: could not insert: com.companyx.model2.x.integration,dto.LifeAssured]
and, when we ran a SQL Injection attack, we saw:
Java.sql.SQLException: setString can only process strings of less than 32766 characters
I find these recommendations on the Apache site useful, and I often point people to them:
http://ws.apache.org/axis/java/security.html#StopAxisServletListingServices
But, I would argue that the "return WSDL" functionality should be under the "development.system" flag also (i.e. setting "axis.enableListQuery" to false). The recommendations above show how to turn off the service listing and "?WSDL" WSDL-download functionality, but it's not done by default. See also Anil John's post on this yesterday:
http://www.aniltj.com/blog/2008/09/21/InformationDisclosureThreatsAndWebServices.aspx
cheers,
Mark
Post a Comment