Scribd Logo
Upload

Welcome to Scribd!

  • XML Attack Surface and Defences: Devouring Security

    Uploaded by

    Manoharr
    29 views26 pages
    The document discusses XML security risks like XPath injection, blind XPath injection, DTD attacks, and external entity expansion. It provides examples of vulnerabilities and mitigation techniques. Some mitigations include input filtering, using variables in XPath queries, upgrading frameworks to patched versions, and disabling external entity expansion. The document aims to increase awareness of XML attacks and how to prevent them.

    Original Description:

    Original Title

    devouringsecurityxmlattacks-140509121926-phpapp01

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses XML security risks like XPath injection, blind XPath injection, DTD attacks, and external entity expansion. It provides examples of vulnerabilities and mitigation techniques. Some mitigations include input filtering, using variables in XPath queries, upgrading frameworks to patched versions, and disabling external entity expansion. The document aims to increase awareness of XML attacks and how to prevent them.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    29 views26 pages

    XML Attack Surface and Defences: Devouring Security

    Uploaded by

    Manoharr
    The document discusses XML security risks like XPath injection, blind XPath injection, DTD attacks, and external entity expansion. It provides examples of vulnerabilities and mitigation techniques. Some mitigations include input filtering, using variables in XPath queries, upgrading frameworks to patched versions, and disabling external entity expansion. The document aims to increase awareness of XML attacks and how to prevent them.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 26

    Devouring Security

    XML
    Attack surface and Defences

    Marudhamaran Gunasekaran
    Overreacting to Risk

    I understand the natural human


    disgust reaction, but do these
    people actually think that their
    normal drinking water is any
    more pure? That a single human
    is that much worse than all the
    normal birds and other animals?
    A few ounces distributed
    amongst 38 million gallons is
    negligible.

    - Bruce Schneier

    https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
    Disclaimer
    Techniques and Tools in this presentation should
    be used or applied on an application, only
    with prior consent of the application’s owner.
    Illegal otherwise.
    Xml today

    • Network protocols – SOAP, XMLRPC, REST


    • Data exchange – modern databases
    • Configuration files – java beans, .net config ..
    • Document/image formats – SVG, RSS, Atom
    Xml injection demo
    http://XmlAttacks:8080/WebGoat/attack
    Xpath Injection Anatomy
    Blind Xpath Injection exists as well

    More:

    https://www.owasp.org/index.php/Blind_XPath_Injection
    http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf
    Mitigations

    •Rejecting requests based on Xpath < > / ' = “

    •Variables with Xslttransformation

    •Linq to Xml without Xpath queries (.Net)

    •Xquery implementations (Saxon parser for Java & .Net)


    Java Xpath injection mitigation with
    XPathVariableResolver (Java)
    Rejecting requests based on Xpath < > / ' = “

    Variables with Xslttransformation

    Linq to Xml without Xpath queries (.Net)

    Xquery implementations (Saxon parser for Java & .Net)


    Java Xpath injection mitigation with
    XPathVariableResolver (Java)
    Xpath with Variables
    Java Xpath injection mitigation with
    IXsltContextVariable (.Net)
    Xpath with Variables
    Java Xpath injection mitigation with
    IXsltContextVariable (.Net)
    Xpath with Variables
    Xpath injection mitigation with Input
    filtering
    Xpath injection mitigation with Linq to
    Xml (.Net)
    Linq to Xml: Xpath injection proof

    Linq to Xml: Xpath injection vulnerable


    DTDs
    • Document Type Definition
    Document Type Definition
    Entity Declarations

    http://www.xmlmaster.org/en/article/d01/c03/
    Billion Laughs (aka Xml Bomb)

    http://en.wikipedia.org/wiki/Billion_laughs
    Billion Laughs (Demo)
    External Entity Expansions
    <!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">

    public class DoS : IHttpHandler


    {
    public void ProcessRequest(HttpContext context)
    {
    context.Response.ContentType = "text/plain";
    byte[] data = new byte[1000000];
    for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; }
    while (true)
    {
    context.Response.OutputStream.Write(data, 0, data.Length);
    context.Response.Flush();
    }
    }

    public bool IsReusable { get { return false; } }


    }

    http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
    External Entity expansion mitigation
    (.Net)
    Potentially Vulnerable:

    XmlDocument xmlDoc = new XmlDocument();

    xmlDoc.LoadXml(xmlInput);

    Mitigated:

    XmlDocument xmlDoc = new XmlDocument();

    XmlTextReader reader = new XmlTextReader(new


    MemoryStream(Encoding.UTF8.GetBytes(xmlInput)));
    reader.ProhibitDtd = true;
    External Entity expansion mitigation
    (JAXP)
    Directory browsing and file access
    (JAXB)
    import javax.xml.bind.*;
    import javax.xml.stream.*;
    import javax.xml.transform.stream.StreamSource;
    public class Demo {
    public static void main(String[] args) throws Exception {
    JAXBContext jc = JAXBContext.newInstance(Customer.class);
    XMLInputFactory xif = XMLInputFactory.newFactory();
    xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
    xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
    XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml"));
    Unmarshaller unmarshaller = jc.createUnmarshaller();
    Customer customer = (Customer) unmarshaller.unmarshal(xsr);
    Marshaller marshaller = jc.createMarshaller();
    marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
    marshaller.marshal(customer, System.out);
    }
    }

    More:
    http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb
    DOS attack and safe/vulnerable .Net
    versions

    .Net framework 2.0.50727.5420 or lower


    .Net framework 4.0.30319.1 or lower

    .Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?


    .Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?

    .Net framework 2.0.50727.5477 or higher


    .Net framework 4.0.30319.34011 or higher
    Lessons learned

    1. Keeping your operating systems and frameworks up to date

    2. Don’t let your server headers reveal too much information

    3. Be vigilant about the framework’s default settings


    References / Further reading

    • http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html

    • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925

    • http://secpod.org/blog/?p=1337

    • http://2013.appsecusa.org/2013/wp-
    content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf

    • https://www.owasp.org/index.php/XPATH_Injection_Java

    • https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250

    • http://www.xmlmaster.org/en/article/d01/c03/

    You might also like