One tactic here is to hide the fact that you are running Axis While obscurity on its own is inadequate; it can slow down attacks or make you seem less vulnerable to known holes.
Rebuild Axis without bits of it you don't need. This is a very paranoid solution, but keeps the number of potential attack points down. They, along with JSP pages, provide anyone who can get text files onto the web application with the ability to run arbitrary Java code. The AxisServlet, the AdminService, even happyaxis. Rename all of these, by editing web. You may not need the AdminService once you have generated the server config on a development machine. By default, Axis ships in production mode; stack traces do not get sent back to the caller.
If you set axis. This exposes internal information about the implementation that may be used in finding weaknesses. Edit the. Servlets 2. Caller address validation is useful for securing admin services and pages, even when other endpoints are public. Of course, router configuration is useful there too. Although full logs are a DoS attack tactic in themselves, logging who sends messages is often useful, for auditing and keeping track of what is going on.
Add more log4j tags to whatever bit of Axis appeals to you to do this. Java has a powerful and complex security system. Use it to configure Axis with reduced rights. On Unix this is pretty much a given, but even on Windows NT and successors you can run a service as a different user. Make it one with limited rights.
Make sure the core of the system has its access permissions tightened up so that the restricted-rights user can not get at things it shouldn't. To track DoS attacks, a load monitor is useful.
AxisBaseServlet tracks the number of callers inside its subclasses at any point in time; the AdminServlet shows how to get at this data.
You then need a policy to act on the alerts, of course. A real honeypot would emulate an entire back end service -it would be an interesting little experiment to build and play with. We tend to discuss security on Axis-Dev, whenever it is an issue, but if demand is high we may add an axis-announce mailing list for important announcements.
These days a lot of people love to make a name for themselves by finding security holes, and Axis, as part of the Apache product family, is a potential target. A hole in Axis could make many Web Services vulnerable, so could be serious indeed.
So far we have only found a few of these, primarily in quirks of XML parsing rather than anything else. If you find a security problem, write a test for it, such as a JUnit or HttpUnit test, so that you can regression test the application and installations for the problem. Collectives on Stack Overflow. Learn more. Asked 5 years, 3 months ago. Active 4 years, 9 months ago.
Viewed 5k times. Improve this question. It must match the actual username — ACV. I tried but getting same error. Add a comment. Active Oldest Votes. Already on GitHub? Sign in to your account. Calling web service report error Imported Issue. The text was updated successfully, but these errors were encountered:. Imported Comment. Original Details: Author: nachoiec Created: T The idea was that a single physical card could be used for everything: multiple credit card accounts, airline affinity memberships, public-transportation payment cards, etc.
Nobody bought into the system: not because of security concerns, but because of branding concerns. Whose logo would get to be on the card? When the manufacturers envisioned a card with multiple small logos, one for each application, everyone wanted to know: Whose logo would be first? On top? In color? The companies give you their own card partly because they want complete control of the rules around their own system, but mostly because they want you to carry around a small piece of advertising in your wallet.
An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around. That's why you still have a dozen different cards in your wallet. And countries that have national IDs give their citizens yet another card to carry around in their wallets -- and not a replacement for something else. Labels: Smartcard. Labels: AppServer , WebServer. Labels: Security , WebServer. Labels: PortalServer.
0コメント