SOAP WS-Addressing SSRF

Description

The SOAP endpoint implements WS-Addressing, a specification that allows clients to define custom reply-to addresses for SOAP responses. When improperly configured, this feature can be exploited by unauthenticated attackers to redirect server responses to arbitrary external or internal destinations, resulting in a Server-Side Request Forgery (SSRF) vulnerability. This blind SSRF condition allows attackers to abuse the server as a proxy to interact with systems that would otherwise be inaccessible.

Remediation

Disable WS-Addressing functionality if it is not required for your application's operation. If WS-Addressing is necessary, implement strict validation and filtering of the ReplyTo and FaultTo addresses:

1. Whitelist allowed destination addresses - Only permit responses to be sent to explicitly approved endpoints
2. Reject private IP ranges and localhost - Block addresses in ranges like 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
3. Validate URL schemes - Only allow http:// and https:// protocols, blocking file://, gopher://, and other schemes
4. Implement DNS rebinding protection - Resolve and validate destination IPs before sending requests

Example validation logic:

// Validate WS-Addressing ReplyTo header
String replyToAddress = getReplyToAddress(soapHeader);

if (replyToAddress != null && !replyToAddress.isEmpty()) {
    // Check against whitelist
    if (!isWhitelistedEndpoint(replyToAddress)) {
        throw new SecurityException("ReplyTo address not in whitelist");
    }
    
    // Validate it's not a private IP
    if (isPrivateOrLocalAddress(replyToAddress)) {
        throw new SecurityException("Private IP addresses not allowed");
    }
}

References

Related Vulnerabilities