Slides from ExpertsTalk Manchester November 2018. A brief description of security vulnerabilities caused by insecure or out-of-date XML implementations for Java Services, and what your business can do to mitigate against them.

1. Making Software. Better.
Simple solutions to big business problems.
Equal Experts is a network of talented, experienced, software
consultants, specialising in agile delivery.

2. The network
I’m part of the Equal Experts network,
a community of highly-experienced
software professionals.
At Equal Experts we’re given the
freedom to get on with what’s
important - delivering better software
for our clients’ customers.

3. Gerald Benischke
Software Engineer
XML is Evil

4. XML is evil!
! Services not maintained as much as they ought to
! Services contain vulnerabilities
! Services that are public facing
! Information Disclosure
! Server Side Request Forgery
! Denial of Service

5. Billion Laughs

6. Real World Example - Reauthentication
App
Reauthe
ntication
Login
POST
back
App

7. Billion Laughs - Real World Example

8. Dependency Checking

9. Billion Laughs - The Attack

10. Billion Laughs - Real World Example

11. Billion Laughs - Risks
! DoS without DDoS
! Only a few requests can cause CPU spikes
! With Auto Scaling Groups this could be expensive

12. Billion Laughs - Mitigation
! Upgrade to OpenSAML 3.3
! Unfortunately, as the API for OpenSAML changed
significantly, that wasn't just a matter of changing
dependencies but rewriting the SAML generation code
from scratch.
! Dependency Scanning

13. Hiding XXE in Spreadsheets

14. Hiding XXE in Spreadsheets
! XXE = XML eXternal Entity injection
! User-provided XML with external reference

15. Real World Example - Hiding XXE in Spreadsheets
App
Upload
ODS
Parse
Create
XML
Backend

16. Hiding XXE - Real World Example

17. Hiding XXE in Spreadsheets - Risks
! Steal your AWS
Keys - Keys to the
Kingdom
! Call internal APIs
! Turn you into a
Monero miner

18. Hiding XXE in Spreadsheets - Mitigation

19. Xerces Hash Collisions

20. Xerces Hash Collisions

21. Xerces Hash Collisions

22. Xerces Hash Collisions

23. Xerces Hash Collisions
! By uploading as few as 5 files with a size of 2MB each
simultaneously, I was able to cause a CPU load of 100%
for up to about a minute.
! Sustain this enough and it might cause a rather
inconvenient Denial of Service probably without being
caught by the traditional DDoS protections...

24. Hiding XXE in Spreadsheets

25. Xerces Hash Collisions - Risks
! DoS without DDoS
! Only a few requests can cause CPU spikes
! With Auto Scaling Groups this could be expensive
! You might be vulnerable without knowing
! Play 2.5 uses in Xerces 2.11.0

26. Xerces Hash Collisions - Mitigations
! Upgrade Xerces (>=2.12.0)
! Dependency Scanning
! Do not trust requests

27. Summary

28. Security
! Know your inputs
! Know your dependencies
! Know about vulnerabilities
! XML can be a minefield

29. QUESTIONS?
https://www.equalexperts.com/services/security/

30. Thank You
United Kingdom
+44 203 603 7830
helloUK@equalexperts.com
Equal Experts UK Ltd
30 Brock Street
London NW1 3FG
India
+91 20 6607 7763
helloIndia@equalexperts.com
Equal Experts India Private Ltd
Office No. 4-C
Cerebrum IT Park No. B3
Kumar City, Kalyani Nagar
Pune, 411006
Canada
+1 403 775 4861
helloCanada@equalexperts.com
Equal Experts Devices Inc
205 - 279 Midpark way S.E.
T2X 1M2
Calgary, Alberta
Portugal
+351 211 378 414
helloPortugal@equalexperts.com
Equal Experts Portugal
Avenida Dom João II, Nº35
Edificio Infante 11ºA
1990-083 Parque das Nações
Lisboa – Portugal
Thank You
USA
+1 866-943-9737
helloUSA@equalexperts.com
Equal Experts Inc
1460 Broadway
New York
NY 10036
LinkedIn
linkedin.com/company/equal-experts
Twitter
@EqualExperts
Web
www.equalexperts.com