Devouring Security XML Attack surface and Defences
description
Transcript of Devouring Security XML Attack surface and Defences
![Page 1: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/1.jpg)
Devouring Security
Marudhamaran Gunasekaran
XML Attack surface and Defences
![Page 2: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/2.jpg)
Overreacting to Risk
I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible.
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
![Page 3: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/3.jpg)
Disclaimer
Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
![Page 4: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/4.jpg)
Xml today
• Network protocols – SOAP, XMLRPC, REST• Data exchange – modern databases• Configuration files – java beans, .net config ..• Document/image formats – SVG, RSS, Atom
![Page 6: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/6.jpg)
Xpath Injection Anatomy
![Page 7: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/7.jpg)
Blind Xpath Injection exists as well
https://www.owasp.org/index.php/Blind_XPath_Injection http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf
More:
![Page 8: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/8.jpg)
Mitigations
•Rejecting requests based on Xpath < > / ' = “
•Variables with Xslttransformation
•Linq to Xml without Xpath queries (.Net)
•Xquery implementations (Saxon parser for Java & .Net)
![Page 9: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/9.jpg)
Java Xpath injection mitigation with XPathVariableResolver (Java)
Rejecting requests based on Xpath < > / ' = “
Variables with Xslttransformation
Linq to Xml without Xpath queries (.Net)
Xquery implementations (Saxon parser for Java & .Net)
![Page 10: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/10.jpg)
Java Xpath injection mitigation with XPathVariableResolver (Java)
Xpath with Variables
![Page 11: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/11.jpg)
Java Xpath injection mitigation with IXsltContextVariable (.Net)
Xpath with Variables
![Page 12: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/12.jpg)
Java Xpath injection mitigation with IXsltContextVariable (.Net)
Xpath with Variables
![Page 13: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/13.jpg)
Xpath injection mitigation with Input filtering
![Page 14: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/14.jpg)
Xpath injection mitigation with Linq to Xml (.Net)
Linq to Xml: Xpath injection vulnerable
Linq to Xml: Xpath injection proof
![Page 15: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/15.jpg)
DTDs
• Document Type Definition
![Page 16: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/16.jpg)
Document Type Definition
![Page 17: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/17.jpg)
Entity Declarations
http://www.xmlmaster.org/en/article/d01/c03/
![Page 18: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/18.jpg)
Billion Laughs (aka Xml Bomb)
http://en.wikipedia.org/wiki/Billion_laughs
![Page 19: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/19.jpg)
Billion Laughs (Demo)
![Page 20: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/20.jpg)
External Entity Expansions
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
<!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">
public class DoS : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; byte[] data = new byte[1000000]; for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; } while (true) { context.Response.OutputStream.Write(data, 0, data.Length); context.Response.Flush(); } }
public bool IsReusable { get { return false; } } }
![Page 21: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/21.jpg)
External Entity expansion mitigation (.Net)
XmlDocument xmlDoc = new XmlDocument();
XmlTextReader reader = new XmlTextReader(new MemoryStream(Encoding.UTF8.GetBytes(xmlInput))); reader.ProhibitDtd = true;
Mitigated:
Potentially Vulnerable:
XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(xmlInput);
![Page 22: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/22.jpg)
External Entity expansion mitigation (JAXP)
![Page 23: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/23.jpg)
Directory browsing and file access (JAXB)
import javax.xml.bind.*;import javax.xml.stream.*;import javax.xml.transform.stream.StreamSource; public class Demo { public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(Customer.class); XMLInputFactory xif = XMLInputFactory.newFactory(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml")); Unmarshaller unmarshaller = jc.createUnmarshaller(); Customer customer = (Customer) unmarshaller.unmarshal(xsr); Marshaller marshaller = jc.createMarshaller(); marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); marshaller.marshal(customer, System.out); } }
More: http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb
![Page 24: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/24.jpg)
DOS attack and safe/vulnerable .Net versions
.Net framework 2.0.50727.5477 or higher
.Net framework 4.0.30319.34011 or higher
.Net framework 2.0.50727.5420 or lower
.Net framework 4.0.30319.1 or lower
.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?
.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?
![Page 25: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/25.jpg)
Lessons learned
1. Keeping your operating systems and frameworks up to date
2. Don’t let your server headers reveal too much information
3. Be vigilant about the framework’s default settings
![Page 26: Devouring Security XML Attack surface and Defences](https://reader033.fdocuments.us/reader033/viewer/2022051412/5485ad20b47959d30c8b4f0f/html5/thumbnails/26.jpg)
References / Further reading
• http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925
• http://secpod.org/blog/?p=1337
• http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
• https://www.owasp.org/index.php/XPATH_Injection_Java
• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250
• http://www.xmlmaster.org/en/article/d01/c03/