We have a legacy application on spring mvc and we have a web service exposed (SOAP protocol) for some reporting client app. This service was tested by a security team and the report indicates that the service is vulnerable to XSS attack. The proof provided in the report indicates that they injected malicious code in the XML namespace as shown below :
<?xml version="1.0" encoding="UTF-8"?> <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> <Body> <getReport xmlns="myReport.xsdn9hqu"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>mbr2jk4t5ff"> <some_info>some value</some_info> <some_more_info>some more value</some_more_info> <request> <someInput>some input data</someInput> <someMoreInput>someMoreInput</someMoreInput> </request> </getReport> </Body> </Envelope> The app uses apache axis 1.4 jax-rpc to provide the service. In the response the added malicious code from the xml namespace is sent back as shown below:
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <ns1:getReportResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="myReport.xsdn9hqu"> <a xmlns:a='http://www.w3.org/1999/xhtml'> <a:body onload='alert(1)'/> </a>mbr2jk4t5ff"> <geReportReturn href="#id0"/> </ns1:getReportResponse> . . . . . report details continue How do I fix this vulnerability? How can I encode/escape the XML header in this case?
