ABSTRACT

Using a UsernameToken with a plain text password over an unencrypted channel exposes the password to attackers who can sniff the SOAP messages.

EXPLANATION

Sending clear text passwords over an unencrypted channel can expose the credential to attackers who can sniff the SOAP message.

The following WebSphere client configuration uses the UsernameToken:


<com.ibm.etools.webservice.wscext:WsClientExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscext="http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi" xmi:id="WsClientExtension_1151349988084">
...
<securityRequestGeneratorServiceConfig xmi:id="SecurityRequestGeneratorServiceConfig_1154318832968">
<securityToken xmi:id="SecurityToken_1211395747219" name="basicauth" uri="" localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/>
...
</com.ibm.etools.webservice.wscext:WsClientExtension>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 254

[6] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[7] Standards Mapping - FIPS200 - (FISMA) MP

[8] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 311

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.3, Requirement 8.4

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.8, Requirement 8.4

[12] Web Sericces Security: SOAP Message Security 1.1 OASIS

[13] Web Services Security Username Token Profile 1.0 OASIS