SlideShare a Scribd company logo

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

Abraham Aranguren
Abraham Aranguren

XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/

1 of 37
Download to read offline
XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
Page 2 MENU IntroductionIntroduction DEMODEMO Q/A + SurpriseQ/A + Surprise
Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
Page 15 SQLi: XML-RPC Web Service
Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool

Recommended

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 

Recommended

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a pro
Nirmalthapa24
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 

More Related Content

What's hot

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a pro
Nirmalthapa24
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 

What's hot (20)

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a pro
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Viewers also liked

Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
OWASP Ottawa
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
mattymcfatty
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
AMol NAik
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingYury Chemerkin
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
Paulius Leščinskas
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
ankit sarode
 

Viewers also liked (19)

Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
 

Similar to XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
Ahmed Elhady Mohamed
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
appsec
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 

Similar to XXE Exposed: SQLi, XSS, XXE and XEE against Web Services (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Brakeman
BrakemanBrakeman
Brakeman
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 

More from Abraham Aranguren

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 

More from Abraham Aranguren (7)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

  • 1. XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
  • 3. Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
  • 4. Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
  • 5. Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
  • 6. Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
  • 7. Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
  • 8. Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
  • 9. Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
  • 10. Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
  • 11. Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
  • 12. Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
  • 13. Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
  • 14. Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
  • 15. Page 15 SQLi: XML-RPC Web Service
  • 16. Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
  • 17. Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
  • 18. Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
  • 19. Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
  • 20. Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
  • 21. Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
  • 22. Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
  • 23. Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
  • 24. Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
  • 25. Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
  • 26. Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
  • 27. Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
  • 28. Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
  • 29. Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
  • 30. Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
  • 31. Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
  • 32. Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
  • 33. Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
  • 34. Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
  • 35. Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
  • 36. Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
  • 37. Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool