The document discusses XML security, focusing on various injection attacks like XPath and external entity expansions, along with their mitigations. It highlights the importance of keeping software updated, managing server information disclosure, and adhering to secure coding practices to defend against these threats. Resources and further reading are provided for deeper understanding of these vulnerabilities and their defenses.

1. Devouring Security
Marudhamaran Gunasekaran
XML
Attack surface and Defences
Watch the screen recording of the presentation at
- http://vimeo.com/94209532

2. Overreacting to Risk
I understand the natural human
disgust reaction, but do these
people actually think that their
normal drinking water is any
more pure? That a single human
is that much worse than all the
normal birds and other animals?
A few ounces distributed
amongst 38 million gallons is
negligible.
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html

3. Disclaimer
Techniques and Tools in this presentation should
be used or applied on an application, only
with prior consent of the application’s owner.
Illegal otherwise.

4. Xml today
• Network protocols – SOAP, XMLRPC, REST
• Data exchange – modern databases
• Configuration files – java beans, .net config ..
• Document/image formats – SVG, RSS, Atom

5. Xml injection demo
http://XmlAttacks:8080/WebGoat/attack

6. Xpath Injection Anatomy

7. Blind Xpath Injection exists as well
https://www.owasp.org/index.php/Blind_XPath_Injection
http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf
More:

8. Mitigations
•Rejecting requests based on Xpath < > / ' = “
•Variables with Xslttransformation
•Linq to Xml without Xpath queries (.Net)
•Xquery implementations (Saxon parser for Java & .Net)

9. Java Xpath injection mitigation with
XPathVariableResolver (Java)
Rejecting requests based on Xpath < > / ' = “
Variables with Xslttransformation
Linq to Xml without Xpath queries (.Net)
Xquery implementations (Saxon parser for Java & .Net)

10. Java Xpath injection mitigation with
XPathVariableResolver (Java)
Xpath with Variables

11. Java Xpath injection mitigation with
IXsltContextVariable (.Net)
Xpath with Variables

12. Java Xpath injection mitigation with
IXsltContextVariable (.Net)
Xpath with Variables

13. Xpath injection mitigation with Input
filtering

14. Xpath injection mitigation with Linq to
Xml (.Net)
Linq to Xml: Xpath injection vulnerable
Linq to Xml: Xpath injection proof

15. DTDs
• Document Type Definition

16. Document Type Definition

17. Entity Declarations
http://www.xmlmaster.org/en/article/d01/c03/

18. Billion Laughs (aka Xml Bomb)
http://en.wikipedia.org/wiki/Billion_laughs

19. Billion Laughs (Demo)

20. External Entity Expansions
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
<!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">
public class DoS : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
byte[] data = new byte[1000000];
for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; }
while (true)
{
context.Response.OutputStream.Write(data, 0, data.Length);
context.Response.Flush();
}
}
public bool IsReusable { get { return false; } }
}

21. External Entity expansion mitigation
(.Net)
XmlDocument xmlDoc = new XmlDocument();
XmlTextReader reader = new XmlTextReader(new
MemoryStream(Encoding.UTF8.GetBytes(xmlInput)));
reader.ProhibitDtd = true;
Mitigated:
Potentially Vulnerable:
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(xmlInput);

22. External Entity expansion mitigation
(JAXP)

23. Directory browsing and file access
(JAXB)
import javax.xml.bind.*;
import javax.xml.stream.*;
import javax.xml.transform.stream.StreamSource;
public class Demo {
public static void main(String[] args) throws Exception {
JAXBContext jc = JAXBContext.newInstance(Customer.class);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml"));
Unmarshaller unmarshaller = jc.createUnmarshaller();
Customer customer = (Customer) unmarshaller.unmarshal(xsr);
Marshaller marshaller = jc.createMarshaller();
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
marshaller.marshal(customer, System.out);
}
}
More:
http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb

24. DOS attack and safe/vulnerable .Net
versions
.Net framework 2.0.50727.5477 or higher
.Net framework 4.0.30319.34011 or higher
.Net framework 2.0.50727.5420 or lower
.Net framework 4.0.30319.1 or lower
.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?
.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?

25. Lessons learned
1. Keeping your operating systems and frameworks up to date
2. Don’t let your server headers reveal too much information
3. Be vigilant about the framework’s default settings

26. References / Further reading
• http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925
• http://secpod.org/blog/?p=1337
• http://2013.appsecusa.org/2013/wp-
content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
• https://www.owasp.org/index.php/XPATH_Injection_Java
• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250
• http://www.xmlmaster.org/en/article/d01/c03/