Lesser Known Injections Lesser Known Injections XML InjectionsXML Injections

AMol NAikAMol NAik

About meAbout me

Web Application PentesterCore member of Garage4HackersBounty Hunter in pastCurrently fuzzing browsers for Fun & Profit

Garage4HackersGarage4Hackers

Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+ browser bugs in Chrome, IE, FF & SafariASLR bypass method presented at CanSecWest was already shared on G4H forum5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinarsFollow us on Twitter @garage4hackers

AgendaAgenda

XML BasicXML InjectionXXE AttackXPath BasicsXPath Injections

XXE is a the new SQL InjectionXXE is a the new SQL Injection- Someone on Twitter - Someone on Twitter

XML Injection in Real-WorldXML Injection in Real-World

Yandex pwned for $5000 with XXE by @d0znppOpenID XXE by Reginaldo SilvaMultiple XXE bugs by @Securatary teamXXE in Google Toolbar by Detectify team - $10k

XML BasicsXML Basics

XML BasicsXML Basics

eXtensible Markup LanguageFlexible text-based formatPresents structured infoUsed for Data Exchange/Storage

XML ComponentsXML Components

XML – CDATA SectionXML – CDATA Section

Tells parser not to use markup for characters in this sectionExamples:

XML InjectionsXML Injections

XML InjectionsXML Injections

Injection Points

XML Injection – Node AttributeXML Injection – Node Attribute

XML Injection – Node AttributeXML Injection – Node Attribute

XML Injection – Node ValueXML Injection – Node Value

XML Injection – Node ValueXML Injection – Node Value

XML Injection – CDATA SectionXML Injection – CDATA Section

XML Injection – CDATA SectionXML Injection – CDATA Section

XXE AttackXXE Attack

XML EntityXML Entity

VariableDefine Can be Internal/External

XML EntityXML Entity

XXE AttackXXE Attack

XPath BasicsXPath Basics

Language to select XML NodesFormats XML data as tree-structured valuesSimilar as SQL (in some sense)

XPath SyntaxXPath Syntax

Uses path expressions to select nodes or node-sets in an xml document

Expression Description

nodename Selects all child nodes of the named node

/ Selects from root node

// Selects nodes from the current node that match the selection no matter where they are

. Selects current node

.. Selects parent of the current node

XPath PredicatesXPath Predicates

Used to find a specific node or a node that contain specific value.Always embedded in square brackets

XPath PredicatesXPath Predicates

Expression Result

/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element

/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element

/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element

//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’

XPath Location PathXPath Location Path

Syntax: axisname::nodetest[predicate]

XPath Location PathXPath Location Path

Example Result

child::Employee Selects all ‘Employee’ node that are children of the current node

attribute::id Selects the id attribute of the current node

child::* Selects all children of the current node

attribute::* Selects all attributes of the current node

child::text() Selects all text child nodes of the current node

child::node() Selects all child nodes of the current node

descendant::Employees Selects all ‘Employees’ descendants of the current node

XPath InjectionXPath Injection

XPath Query:/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()

XPath InjectionXPath Injection

No UserName & Password known:

XPath InjectionXPath Injection

UserName known:/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()

XPath InjectionXPath Injection

No UserName & Password known & Password is not vulnerable:

ConclusionConclusion

XML Injections are ignoredMany sites having these issues

That's It !!That's It !!

AMol NAikAMol NAik@amolnaik4@amolnaik4

mailto:mailto: amolnaik4@garage4hackers.comamolnaik4@garage4hackers.com

ReferencesReferences

XPath InjectionHacking XPath 2.0Blind XPath Injection