Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

18,096 views

Published on

XXE Exposed Webinar Slides:

Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)

Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/

Published in: Technology
  • If u need a hand in making your writing assignments - visit ⇒ www.HelpWriting.net ⇐ for more detailed information.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

  1. 1. XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
  2. 2. Page 2 MENU IntroductionIntroduction DEMODEMO Q/A + SurpriseQ/A + Surprise
  3. 3. Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
  4. 4. Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
  5. 5. Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
  6. 6. Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
  7. 7. Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
  8. 8. Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
  9. 9. Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
  10. 10. Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
  11. 11. Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
  12. 12. Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
  13. 13. Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
  14. 14. Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
  15. 15. Page 15 SQLi: XML-RPC Web Service
  16. 16. Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
  17. 17. Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
  18. 18. Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
  19. 19. Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
  20. 20. Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
  21. 21. Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
  22. 22. Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
  23. 23. Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
  24. 24. Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
  25. 25. Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
  26. 26. Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
  27. 27. Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
  28. 28. Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
  29. 29. Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
  30. 30. Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
  31. 31. Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
  32. 32. Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
  33. 33. Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
  34. 34. Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
  35. 35. Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
  36. 36. Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
  37. 37. Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool

×