View
231
Download
0
Category
Preview:
Citation preview
Lesser Known Injections Lesser Known Injections XML InjectionsXML Injections
AMol NAikAMol NAik
About meAbout me
Web Application PentesterCore member of Garage4HackersBounty Hunter in pastCurrently fuzzing browsers for Fun & Profit
Garage4HackersGarage4Hackers
Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+ browser bugs in Chrome, IE, FF & SafariASLR bypass method presented at CanSecWest was already shared on G4H forum5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinarsFollow us on Twitter @garage4hackers
AgendaAgenda
XML BasicXML InjectionXXE AttackXPath BasicsXPath Injections
XXE is a the new SQL InjectionXXE is a the new SQL Injection- Someone on Twitter - Someone on Twitter
XML Injection in Real-WorldXML Injection in Real-World
Yandex pwned for $5000 with XXE by @d0znppOpenID XXE by Reginaldo SilvaMultiple XXE bugs by @Securatary teamXXE in Google Toolbar by Detectify team - $10k
XML BasicsXML Basics
XML BasicsXML Basics
eXtensible Markup LanguageFlexible text-based formatPresents structured infoUsed for Data Exchange/Storage
XML ComponentsXML Components
XML – CDATA SectionXML – CDATA Section
Tells parser not to use markup for characters in this sectionExamples:
XML InjectionsXML Injections
XML InjectionsXML Injections
Injection Points
XML Injection – Node AttributeXML Injection – Node Attribute
XML Injection – Node AttributeXML Injection – Node Attribute
XML Injection – Node ValueXML Injection – Node Value
XML Injection – Node ValueXML Injection – Node Value
XML Injection – CDATA SectionXML Injection – CDATA Section
XML Injection – CDATA SectionXML Injection – CDATA Section
XXE AttackXXE Attack
XML EntityXML Entity
VariableDefine Can be Internal/External
XML EntityXML Entity
XXE AttackXXE Attack
XPath BasicsXPath Basics
Language to select XML NodesFormats XML data as tree-structured valuesSimilar as SQL (in some sense)
XPath SyntaxXPath Syntax
Uses path expressions to select nodes or node-sets in an xml document
Expression Description
nodename Selects all child nodes of the named node
/ Selects from root node
// Selects nodes from the current node that match the selection no matter where they are
. Selects current node
.. Selects parent of the current node
XPath PredicatesXPath Predicates
Used to find a specific node or a node that contain specific value.Always embedded in square brackets
XPath PredicatesXPath Predicates
Expression Result
/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element
//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’
XPath Location PathXPath Location Path
Syntax: axisname::nodetest[predicate]
XPath Location PathXPath Location Path
Example Result
child::Employee Selects all ‘Employee’ node that are children of the current node
attribute::id Selects the id attribute of the current node
child::* Selects all children of the current node
attribute::* Selects all attributes of the current node
child::text() Selects all text child nodes of the current node
child::node() Selects all child nodes of the current node
descendant::Employees Selects all ‘Employees’ descendants of the current node
XPath InjectionXPath Injection
XPath Query:/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
XPath InjectionXPath Injection
No UserName & Password known:
XPath InjectionXPath Injection
UserName known:/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
XPath InjectionXPath Injection
No UserName & Password known & Password is not vulnerable:
ConclusionConclusion
XML Injections are ignoredMany sites having these issues
That's It !!That's It !!
AMol NAikAMol NAik@amolnaik4@amolnaik4
mailto:mailto: amolnaik4@garage4hackers.comamolnaik4@garage4hackers.com
ReferencesReferences
XPath InjectionHacking XPath 2.0Blind XPath Injection
Recommended