1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.InputStream;
24 import java.util.ArrayList;
25 import java.util.List;
26 import java.util.Properties;
27
28 import javax.xml.stream.XMLStreamException;
29 import javax.xml.transform.dom.DOMSource;
30 import javax.xml.transform.stream.StreamResult;
31 import javax.xml.xpath.XPathConstants;
32 import javax.xml.xpath.XPathExpression;
33
34 import org.apache.wss4j.common.ext.WSSecurityException;
35 import org.apache.wss4j.dom.handler.WSHandlerConstants;
36 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
37 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcerFactory;
38 import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
39 import org.apache.wss4j.stax.ext.WSSConstants;
40 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
41 import org.apache.wss4j.stax.test.AbstractTestBase;
42 import org.apache.wss4j.stax.test.CallbackHandlerImpl;
43 import org.apache.xml.security.stax.ext.SecurePart;
44 import org.junit.jupiter.api.Test;
45 import org.w3c.dom.Document;
46 import org.w3c.dom.Element;
47
48 import static org.junit.jupiter.api.Assertions.assertEquals;
49 import static org.junit.jupiter.api.Assertions.assertNotNull;
50 import static org.junit.jupiter.api.Assertions.assertTrue;
51 import static org.junit.jupiter.api.Assertions.fail;
52
53 public class VulnerabliltyVectorsTest extends AbstractTestBase {
54
55
56
57
58
59
60 @Test
61 @org.junit.jupiter.api.Disabled
62 public void testSOAPActionSpoofing() throws Exception {
63 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
64 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
65 outSecurityProperties.setEncryptionUser("receiver");
66 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
67 outSecurityProperties.setSignatureUser("transmitter");
68 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
69
70 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
71 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
72 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
73 List<WSSConstants.Action> actions = new ArrayList<>();
74 actions.add(WSSConstants.TIMESTAMP);
75 actions.add(WSSConstants.SIGNATURE);
76 actions.add(WSSConstants.ENCRYPTION);
77 outSecurityProperties.setActions(actions);
78
79 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
80 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
81
82
83 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
84 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
85 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
86 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
87
88 PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
89 PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy", false, null, 0, false);
90 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
91
92 try {
93 doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
94 fail("Expected XMLStreamException");
95 } catch (XMLStreamException e) {
96 Throwable throwable = e.getCause();
97 assertNotNull(throwable);
98 assertTrue(throwable instanceof WSSecurityException);
99 assertEquals(throwable.getMessage(),
100 "SOAPAction (emptyPolicyOperation) does not match with the current Operation: " +
101 "{http://schemas.xmlsoap.org/wsdl/}definitions");
102 assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.INVALID_SECURITY);
103 }
104 }
105
106 @Test
107 public void testSignedBodyRelocationToHeader() throws Exception {
108 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
109
110 String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPTION;
111 Properties properties = new Properties();
112 properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
113 properties.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
114 Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
115
116 XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Body");
117 Element bodyElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
118 Element soapEnvElement = (Element) bodyElement.getParentNode();
119 soapEnvElement.removeChild(bodyElement);
120
121 Element newBody = securedDocument.createElementNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
122 Element operationElement = securedDocument.createElementNS("http://schemas.xmlsoap.org/wsdl/", "definitions");
123 newBody.appendChild(operationElement);
124 soapEnvElement.appendChild(newBody);
125
126 xPathExpression = getXPath("/soap:Envelope/soap:Header");
127 Element headerElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
128 headerElement.appendChild(bodyElement);
129
130 ByteArrayOutputStream baos = new ByteArrayOutputStream();
131
132 javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
133 transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
134
135 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
136 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
137 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
138 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
139
140 PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
141 PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy", false, null, 0, false);
142 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
143
144 try {
145 doInboundSecurity(inSecurityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), policyEnforcer);
146 fail("Expected XMLStreamException");
147 } catch (XMLStreamException e) {
148 Throwable throwable = e.getCause();
149 assertNotNull(throwable);
150 assertTrue(throwable instanceof WSSecurityException);
151 assertEquals(throwable.getMessage(),
152 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
153 assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.INVALID_SECURITY);
154 }
155 }
156 }