1. XXE Exposed
XML eXternalEntity vulnerabilities
Armando Romeo – Abraham Aranguren
eLearnSecurity SRL
www.elearnsecurity.com

2. Page 2
MENU
IntroductionIntroduction
DEMODEMO
Q/A + SurpriseQ/A + Surprise

3. Page 3
Meet our author Abraham Aranguren
Project founder and leader of OWASP OWTF
7+ years in Web App Security research and consulting
Speaker at top European IT Security events
Co-creator of VSA along with Mario Heiderich and Gareth Heyes
Author of Practical Web Defense
The most comprehensive training course on web app security
Launched in November 2013
Presenter

4. Page 4
Agenda
Web Service TypesWeb Service Types
SQLi on Web ServicesSQLi on Web Services
XSS on Web ServicesXSS on Web Services
XXE / XEE on Web ServicesXXE / XEE on Web Services
XXE / XEE DemoXXE / XEE Demo
Q & AQ & A

5. Page 5
Major Web Service Types:
Web Service Types
Abbreviation Stands for
XML-RPC XML Remote Procedure Call
JSON-RPC JSON Remote Procedure Call RPC
SOAP Simple Object Access Protocol
REST Representational State Transfer
BEPL Business Process Execution Language
WCF Windows Communication Foundation
More in-depth examples, labs, videos, etc. on:
«Practical Web Defense»
https://www.elearnsecurity.com/PWD

6. Page 6
Basic Example:
• «Find a player web service»
• Web service returns matches from a database
Web Service Example
Message:
“Find a player”
Request
“Web service client” Web service server:
1) Search player
2) Return matchesMessage:
“Player matches”
Response

7. Page 7
In this webinar:
• Web service = Process request + Return response
• Web service = «the function», «find a player»
• Web service type = «the envelope», «HOW to call the function»
• Vulnerabilities are often in «the function»:
IF SO, Web Service attacks work against ALL types
NOT in this webinar:
• Vulnerabilities can also be in processing of «the envelope»
http://www.ws-attacks.org/
Web Service Types

8. Page 8
“Find a player” in “XML-RPC speak”
XML-RPC Request Example
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>FindPlayer</methodName>
<params>
<param>
<value>
<string>Simon</string>
</value>
</param>
</params>
</methodCall>

9. Page 9
“Find a Player” in “JSON-RPC speak”
JSON-RPC Request Example
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "Simon" ],
"id": 1
}

10. Page 10
“Find a Player” in “SOAP speak”
SOAP Request Example
POST /soap_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:enc="http://www.w3.org/2003/05/soap-encoding"
xmlns:ns1="http://example.com/soap_web_service"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns1:FindPlayer
env:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
<name xsi:type="xsd:string">Simon</name>
</ns1:FindPlayer>
</env:Body>
</env:Envelope>

11. Page 11
«Find a Player» in «RESTful speak»
RESTful Request Example
GET /restful_web_service/Find_player/Simon
HTTP/1.1
Host: example.com
...

12. Page 12
For our purposes:
• The function can be the same:
«Find a Player»
• The attacks can be the same:
SQLi, XSS, XXE, etc.
• What changes is «the envelope»:
«How to invoke the function»
In our example:
«HOW to call the web service to find a player»
Web Service Types: Summary

13. Page 13
Definitions:
SQLi = SQL Injection
XSS = Cross Site Scripting
XXE = XML eXternal Entity
What do SQLi, XSS and XXE have in common?
• They are all «Injection» attacks
• Injection attacks = Number 1 Web Risk
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
Usual culprits:
• String concatenations
• XML parsers
• Home rolled parsers
SQLi, XSS and XXE?

14. Page 14
SQL Injection (SQLi) 101:
• User input can change the SQL query
• «input» is «injected» into the «SQL query»
• Usually due to string concatenations:
«SELECT ... WHERE id = input»
SQL Injection on Web Services:
• Usually the same as SQLi on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
SQLi on Web Services

15. Page 15
SQLi: XML-RPC Web Service

16. Page 16
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall><methodName>FindPlayer</methodName>
<params>
<param>
<value>
<string>Simon</string>
</value>
</param>
</params>
</methodCall>
SQLi: Legit XML-RPC Request

17. Page 17
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall><methodName>FindPlayer</methodName>
<params>
<param>
<value>
<string>
zz&apos; union all ...
</string>
</value>
</param>
</params>
</methodCall>
SQLi: XML-RPC SQLi Attack

18. Page 18
Query:
NOTE: String concatenation!
SELECT * FROM players WHERE name LIKE '%{$player}%'
Intended usage:
• Player: Simon
• XML-RPC call snippet:
<string>Simon</string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%Simon%'
SQLi attack:
• Player: zz' union all ...
• XML-RPC call snippet:
NOTE: XML-encoded single quote (') = &apos;
<string>zz&apos; union all ... </string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%zz' union all ... %'
SQLi: XML-RPC Explanation

19. Page 19
Usual SQLi Impact:
• The attacker can run arbitrary SQL code
• Dumping the whole database, Sometimes code execution, etc.
Root cause: Code + Data = Code
• Code: SELECT * FROM players WHERE name LIKE '%%'
• + Data (i.e. user input): $player
• = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘
• «Data» is executed as «Code» (All Injection attacks work like this)
How to fix: Separate «code» from «data» as aggressively as possible
• BEST: Bind variables aka «Parameterized queries» Always do this if you can!
• 2nd BEST: Escaping Sometimes the only option (think legacy), be careful
• 3rd BEST: Strict validation Only do this in addition to binding/escaping
• More info:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
SQLi Mitigation: Basics

20. Page 20
REMEMBER: Bind variables > Escaping
IF you have to use escaping make sure that:
1) you use the DBMS function for that:
i.e. Escape MySQL using a MySQL-specific function, etc.
AND
2) You put quotes around the value you are escaping!
Our example:
Could be fixed, using escaping, like:
SQLi Mitigation: On Escaping

21. Page 21
XSS Intro
Three major types of XSS:
• (Server-Side) Reflected:
The XSS payload is displayed back from the request
• (Server-Side) Stored:
The XSS payload is
1) stored –i.e. in a DB-
2) Displayed back
• (JavaScript-Side) DOM-based:
The XSS payload is evaluated as JavaScript, from JavaScript code
Cross Site Scripting (XSS) 101:
• User input can change the HTML page OR JavaScript
• «input» is «injected» into the «Page»
• Run JavaScript under «victim domain» = session hijacking, etc.
• Usually due to string concatenations:
«<html><body>....input...</body></html>»

22. Page 22
XSS against RESTful web services can sometimes be like XSS on web apps:
XSS on RESTful Web Services

23. Page 23
XSS on RESTful Web Services
Proof of concept:
XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");")
curl -i "http://localhost/findplayer/$XSS"
OR directly:
http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E
Returns:
HTTP/1.1 200 OK
..
Content-Type: text/html
Your search: <svg onload=alert(1)>Matches: ...
NOTE:
Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺

24. Page 24
But, more commonly, XSS on Web Services happens in two stages:
1) The web service saves the data NOT the problem
2) The data is displayed (insecurely) by a web app THE problem
XSS on Web Services:
• Usually the same as Persistent XSS on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
XSS on most Web Services

25. Page 25
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "Simon" ],
"id": 1
}
JSON-RPC Request Example

26. Page 26
NOTE: Encode according to «the envelope», JSON-RPC = JSON encode
XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");");
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "<svg onload=alert(1)>" ],
"id": 1
}
JSON-RPC XSS Attack

27. Page 27
XSS Mitigation
XSS Mitigation 101:
• Solution != Validation (i.e. Business requires «risky» characters, etc.)
• Solution = Output Encoding in the right context
• ALWAYS use validation in addition to output encoding.
• As with all Injection attacks, the problem is when:
Code + Input = Code
• Usual culprit aka “right place to fix”
String concatenations on code that renders/builds HTML/JavaScript
NOTE: Usually on the web app, rarely on the web service.
• More info (recommended reading):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention
_Cheat_Sheet

28. Page 28
XSS Mitigation Example
XSS Mitigation 101 = Output Encoding in the right context, using the
relevant platform function for such purpose. i.e. Htmlentities in PHP.
Vulnerable example:
Fixed example (in this context!):
Safe Output:
Your search: &lt;svg onload=alert(1)&gt; Matches: ...
Unsafe Output:
Your search: <svg onload=alert(1)> Matches: ...

29. Page 29
XXE / XEE Intro
XML Entity (XXE / XEE) attacks 101:
• User input can change the parsed XML, «the XML the app will see»
• «input» is «injected» into the «parsed XML»
• Usually due to a default XML parser feature:
XML (External / Inline) Entities
Two major types of atacks:
• XXE = Path Traversal = Read system files, source code, etc.
• XEE = Denial of Service = Crash the web server
Interesting attack variants:
• Internal network HTTP requests
• PHP / Java wrappers
• Remote Code Execution (RCE) in some edge cases
• Etc.

30. Page 30
XXE / XEE = Subtle issues
XXE / XEE = Attacks against the XML parser, the code might «look safe»
Scenario:
An NGO builds a «crime report» web service, this allows people to report
government abuse crimes anonymously.
Code:

31. Page 31
XEE attackXML File
XEE = XML Entity Expansion = Denial of Service (DoS) attack
Amplified XEE: «The billion laughs attack» / «recursive entity expansion»
XML File:
It will take … 687 GB of RAM to parse this document ..
Recommended watching: http://vimeo.com/73255656

32. Page 32
Intended XML File
XML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output:
Uploading Crime Report: Joey is guilty..

33. Page 33
XXE attackXML File
XXE = External Entity attack = Path Traversal = Read files, etc.
XML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output: «summary» = «/etc/passwd» via XML parser!
Uploading Crime Report: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….

34. Page 34
XXE / XEE: Mitigation
XXE and XEE attacks mitigation 101:
• Disable external entities
• Disable DOCTYPE declarations
• Prefer SAX over DOM parsers
• Validate XML files against schemas
• More info (recommended reading, especially links at the end):
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin
g

35. Page 35
XXE / XEE: Mitigation example
Vulnerable:
$xml = simplexml_load_string($request->getBody());
Fixed:
NOTE: Do ALL this before parsing
//Fix 1) Disable External Entities: Fixes XXE and *some* XEE
libxml_disable_entity_loader(true);
//Fix 2) Limit overall XML size: IMPORTANT before Fix 3)
if (strlen($xml_string) > (1024 * 5))
die('Sorry, we do not support XML files greater than 5
KBs');
//Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE
If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '',
$xml_string)))
die('Unsupported XML file, sorry');
//NOW we can parse the XML safely ☺
$xml = simplexml_load_string($xml_string);

36. Page 36
XXE / XEE Demo
XXE / XEE
DEMO
Watch it from minute 25 here:
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
(NOTE: Wait for the video to fully load first)

37. Page 37
Thank you!
Armando Romeo
armando@elearnsecurity.com
Abraham Aranguren
abraham@elearnsecurity.com
Cool