View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.InputStream;
24  import java.util.ArrayList;
25  import java.util.List;
26  import java.util.Properties;
27  
28  import javax.xml.stream.XMLStreamException;
29  import javax.xml.transform.dom.DOMSource;
30  import javax.xml.transform.stream.StreamResult;
31  import javax.xml.xpath.XPathConstants;
32  import javax.xml.xpath.XPathExpression;
33  
34  import org.apache.wss4j.common.ext.WSSecurityException;
35  import org.apache.wss4j.dom.handler.WSHandlerConstants;
36  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
37  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcerFactory;
38  import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
39  import org.apache.wss4j.stax.ext.WSSConstants;
40  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
41  import org.apache.wss4j.stax.test.AbstractTestBase;
42  import org.apache.wss4j.stax.test.CallbackHandlerImpl;
43  import org.apache.xml.security.stax.ext.SecurePart;
44  import org.junit.jupiter.api.Test;
45  import org.w3c.dom.Document;
46  import org.w3c.dom.Element;
47  
48  import static org.junit.jupiter.api.Assertions.assertEquals;
49  import static org.junit.jupiter.api.Assertions.assertNotNull;
50  import static org.junit.jupiter.api.Assertions.assertTrue;
51  import static org.junit.jupiter.api.Assertions.fail;
52  
53  public class VulnerabliltyVectorsTest extends AbstractTestBase {
54  
55      /**
56       * Tests what happens when an soapAction from an other operation is provided.
57       * Can the policy framework be bypassed?
58       * @Ignoring as SOAP Action spoofing detection should be left to the SOAP stack
59       */
60      @Test
61      @org.junit.jupiter.api.Disabled
62      public void testSOAPActionSpoofing() throws Exception {
63          WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
64          outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
65          outSecurityProperties.setEncryptionUser("receiver");
66          outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
67          outSecurityProperties.setSignatureUser("transmitter");
68          outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
69  
70          outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
71          outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
72          outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
73          List<WSSConstants.Action> actions = new ArrayList<>();
74          actions.add(WSSConstants.TIMESTAMP);
75          actions.add(WSSConstants.SIGNATURE);
76          actions.add(WSSConstants.ENCRYPTION);
77          outSecurityProperties.setActions(actions);
78  
79          InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
80          ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
81  
82  
83          WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
84          inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
85          inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
86          inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
87  
88          PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
89          PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy", false, null, 0, false);
90          inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
91  
92          try {
93              doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
94              fail("Expected XMLStreamException");
95          } catch (XMLStreamException e) {
96              Throwable throwable = e.getCause();
97              assertNotNull(throwable);
98              assertTrue(throwable instanceof WSSecurityException);
99              assertEquals(throwable.getMessage(),
100                     "SOAPAction (emptyPolicyOperation) does not match with the current Operation: " +
101                             "{http://schemas.xmlsoap.org/wsdl/}definitions");
102             assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.INVALID_SECURITY);
103         }
104     }
105 
106     @Test
107     public void testSignedBodyRelocationToHeader() throws Exception {
108         InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
109 
110         String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPTION;
111         Properties properties = new Properties();
112         properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
113         properties.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
114         Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
115 
116         XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Body");
117         Element bodyElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
118         Element soapEnvElement = (Element) bodyElement.getParentNode();
119         soapEnvElement.removeChild(bodyElement);
120 
121         Element newBody = securedDocument.createElementNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
122         Element operationElement = securedDocument.createElementNS("http://schemas.xmlsoap.org/wsdl/", "definitions");
123         newBody.appendChild(operationElement);
124         soapEnvElement.appendChild(newBody);
125 
126         xPathExpression = getXPath("/soap:Envelope/soap:Header");
127         Element headerElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
128         headerElement.appendChild(bodyElement);
129 
130         ByteArrayOutputStream baos = new ByteArrayOutputStream();
131 
132         javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
133         transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
134 
135         WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
136         inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
137         inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
138         inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
139 
140         PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
141         PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy", false, null, 0, false);
142         inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
143 
144         try {
145             doInboundSecurity(inSecurityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), policyEnforcer);
146             fail("Expected XMLStreamException");
147         } catch (XMLStreamException e) {
148             Throwable throwable = e.getCause();
149             assertNotNull(throwable);
150             assertTrue(throwable instanceof WSSecurityException);
151             assertEquals(throwable.getMessage(),
152                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
153             assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.INVALID_SECURITY);
154         }
155     }
156 }