1

Using spring-ws with JAXB as our stack for SOAP-webservices I want to secure them against "Oversized Xml"-attacks. In CXF I know there is the possibility to defend against most of these attacks using the following properties:

org.apache.cxf.stax.maxChildElements
org.apache.cxf.stax.maxElementDepth
org.apache.cxf.stax.maxAttributeCount
org.apache.cxf.stax.maxAttributeSize    
org.apache.cxf.stax.maxTextLength
org.apache.cxf.stax.maxElementCount

However I have not found anything equal in the spring-stack. Is there a way to mitigate this kind of attacks?

Xstian
  • 8,184
  • 10
  • 42
  • 72
Frank
  • 2,036
  • 1
  • 20
  • 32
  • If nothing else helped try limiting the size of HTTP requests: https://stackoverflow.com/questions/2947683/httprequest-maximum-allowable-size-in-tomcat – Boris Pavlović Feb 09 '16 at 10:51
  • I already thought of that, but according to [this site](http://projects.webappsec.org/w/page/13247001/XML%20Attribute%20Blowup) a file with only 90k could cause the parser to do 50,000,000 basic operations. So I thought of using something like the things available in cxf. – Frank Feb 09 '16 at 11:00
  • is it the performance bottleneck of the system? has it been measured? – Boris Pavlović Feb 09 '16 at 11:51
  • No, up to this point it is no performance issue and it could be a solution to limit the size of the requests. But I still think that it is just a symptom cure and hope there's something equivalent to cxf's properties. – Frank Feb 09 '16 at 12:21
  • Maybe JAXB can be replaced with CFX in Spring: https://cxf.apache.org/docs/writing-a-service-with-spring.html – Boris Pavlović Feb 09 '16 at 12:24
  • Thanks for the link. Unfortunately our customer has a strict policy regarding the used frameworks. :-( I suppose I'll fall back to the sizelimit approach. – Frank Feb 09 '16 at 13:13

0 Answers0