Merge pull request #1935 from HackTricks-wiki/research_update_src_pentesting-web_soap-jax-ws-threadlocal-auth-bypass_20260222_130234

Research Update Enhanced src/pentesting-web/soap-jax-ws-thre...

Author: carlospolop

src/pentesting-web/soap-jax-ws-threadlocal-auth-bypass.md

@@ -7,6 +7,7 @@
 - Some middleware chains store the authenticated `Subject`/`Principal` inside a static `ThreadLocal` and only refresh it when a proprietary SOAP header arrives.
 - Because WebLogic/JBoss/GlassFish recycle worker threads, dropping that header causes the last privileged `Subject` processed by the thread to be silently reused.
 - Hammer the vulnerable endpoint with header-less but well-formed SOAP bodies until a reused thread grants you the stolen administrator context.
+- 2025 HID ActivID/IASP (HID-PSA-2025-002) is a real-world instance: JAX-WS handler caches a `SubjectHolder` `ThreadLocal`, letting unauthenticated SOAP calls inherit the identity set by previous console/SSP requests.
 
 ## Root Cause
 
@@ -55,12 +56,28 @@ Content-Type: text/xml;charset=UTF-8
 </soapenv:Envelope>
 ```
 
+### 2025 HID ActivID/IASP case study (HID-PSA-2025-002)
+
+- Synacktiv showed the JAX-WS `LoginHandler` in ActivID 8.6–8.7 sets `SubjectHolder.subject` when a `mySubjectHeader` SOAP header is present or when console/SSP traffic authenticates, but never clears it when the header is absent.
+- Any subsequent SOAP call lacking the header on the same worker thread inherits that cached `Subject`, allowing unauthenticated creation of administrator users or credential import via endpoints such as `UserManager` or `CredentialManager`.
+- Reliable exploitation pattern observed:
+  1. Trigger an authenticated context on many threads (e.g., spam `/ssp` or log into `/aiconsole` as admin in another browser tab).
+  2. Flood header-less SOAP bodies to `/ac-iasp-backend-jaxws/UserManager` or other EJB-backed JAX-WS endpoints with high parallelism; each hit that reuses an "infected" thread executes with elevated `Subject`.
+  3. Repeat until privileged responses are returned; reuse Keep-Alive connections and large worker pools to maximize thread reuse probability.
+- Handler and process flow highlights:
+  - `LoginHandlerChain.xml` → `LoginHandler.handleMessage()` unmarshals `mySubjectHeader` and stores the `Subject` in `SubjectHolder` (a static `ThreadLocal`).
+  - `ProcessManager.triggerProcess()` later injects `SubjectHolder.getSubject()` into business processes, so missing headers leave stale identities intact.
+- In-field PoC from the advisory uses two-step SOAP abuse: first `getUsers` to leak info, then `createUser` + `importCredential` to plant a rogue admin when the privileged thread hits.
+
 ## Validating the Bug
 
 - Attach JDWP (`-agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n`) or similar debugging hooks to watch the `ThreadLocal` contents before and after each call, confirming that an unauthenticated request inherited a prior administrator `Subject`.
+- In production appliances you can also instrument with JFR or BTrace to dump `SubjectHolder.getSubject()` per request, verifying header-less reuse.
 
 ## References
 
+- [Synacktiv – ActivID authentication bypass (HID-PSA-2025-002)](https://www.synacktiv.com/en/advisories/activid-authentication-bypass.html)
+- [HID Global – Product Security Advisory HID-PSA-2025-002 SOAP-API Authentication Bypass](https://www.hidglobal.com/sites/default/files/documentlibrary/HID-PSA-2025-02%20SOAP_API_a.pdf)
 - [Synacktiv – ActivID administrator account takeover: the story behind HID-PSA-2025-002](https://www.synacktiv.com/publications/activid-administrator-account-takeover-the-story-behind-hid-psa-2025-002.html)
 - [PortSwigger – Wsdler (WSDL parser) extension](https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f)