Professional Documents
Culture Documents
XML Attack Surface and Defences: Devouring Security
XML Attack Surface and Defences: Devouring Security
XML
Attack surface and Defences
Marudhamaran Gunasekaran
Overreacting to Risk
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
Disclaimer
Techniques and Tools in this presentation should
be used or applied on an application, only
with prior consent of the application’s owner.
Illegal otherwise.
Xml today
More:
https://www.owasp.org/index.php/Blind_XPath_Injection
http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf
Mitigations
http://www.xmlmaster.org/en/article/d01/c03/
Billion Laughs (aka Xml Bomb)
http://en.wikipedia.org/wiki/Billion_laughs
Billion Laughs (Demo)
External Entity Expansions
<!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
External Entity expansion mitigation
(.Net)
Potentially Vulnerable:
xmlDoc.LoadXml(xmlInput);
Mitigated:
More:
http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb
DOS attack and safe/vulnerable .Net
versions
• http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925
• http://secpod.org/blog/?p=1337
• http://2013.appsecusa.org/2013/wp-
content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
• https://www.owasp.org/index.php/XPATH_Injection_Java
• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250
• http://www.xmlmaster.org/en/article/d01/c03/