XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

XXE ExposedXML eXternal Entity vulnerabilities

Armando Romeo – Abraham Aranguren

eLearnSecurity SRL

www.elearnsecurity.com

Page � 2

MENU

IntroductionIntroduction

DEMODEMO

Q/A + SurpriseQ/A + Surprise

Page � 3

Meet our author Abraham ArangurenProject founder and leader of OWASP OWTF

7+ years in Web App Security research and consulting

Speaker at top European IT Security events

Co-creator of VSA along with Mario Heiderich and Gareth Heyes

Author of Practical Web DefenseThe most comprehensive training course on web app security

Launched in November 2013

Presenter

Page � 4

Agenda

Web Service TypesWeb Service Types

SQLi on Web ServicesSQLi on Web Services

XSS on Web ServicesXSS on Web Services

XXE / XEE on Web ServicesXXE / XEE on Web Services

XXE / XEE DemoXXE / XEE Demo

Q & AQ & A

Page � 5

Major Web Service Types:

Web Service Types

Abbreviation Stands for

XML-RPC XML Remote Procedure Call

JSON-RPC JSON Remote Procedure Call RPC

SOAP Simple Object Access Protocol

REST Representational State Transfer

BEPL Business Process Execution Language

WCF Windows Communication Foundation

More in-depth examples, labs, videos, etc. on:

«Practical Web Defense»

https://www.elearnsecurity.com/PWD

Page � 6

Basic Example:

• «Find a player web service»

• Web service returns matches from a database

Web Service Example

Message:

“Find a player”

Request

“Web service client” Web service server:

1) Search player

2) Return matchesMessage:

“Player matches”

Response

Page � 7

In this webinar:

• Web service = Process request + Return response

• Web service = «the function», «find a player»

• Web service type = «the envelope», «HOW to call the function»

• Vulnerabilities are often in «the function»:

IF SO, Web Service attacks work against ALL types

NOT in this webinar:

• Vulnerabilities can also be in processing of «the envelope»

http://www.ws-attacks.org/

Web Service Types

Page � 8

“Find a player” in “XML-RPC speak”

XML-RPC Request Example

POST /xml_rpc_web_service HTTP/1.1

Host: example.com

...

<?xml version="1.0" encoding="UTF-8"?>

<methodCall>

<methodName>FindPlayer</methodName><params>

<param>

<value>

<string>Simon</string></value>

</param>

</params>

</methodCall>

Page � 9

“Find a Player” in “JSON-RPC speak”

JSON-RPC Request Example

POST /json_rpc_web_service HTTP/1.1

Host: example.com

...

{

"method": "FindPlayer“,

"params": [ "Simon" ], "id": 1

}

Page � 10

“Find a Player” in “SOAP speak”

SOAP Request Example

POST /soap_web_service HTTP/1.1

Host: example.com

...


<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"

xmlns:enc="http://www.w3.org/2003/05/soap-encoding"

xmlns:ns1="http://example.com/soap_web_service"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<env:Body>

<ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding">

<name xsi:type="xsd:string">Simon</name></ns1:FindPlayer>

</env:Body>

</env:Envelope>

Page � 11

«Find a Player» in «RESTful speak»

RESTful Request Example

GET /restful_web_service/Find_player/SimonHTTP/1.1

Host: example.com

...

Page � 12

For our purposes:

• The function can be the same:

«Find a Player»

• The attacks can be the same:

SQLi, XSS, XXE, etc.

• What changes is «the envelope»:

«How to invoke the function»

In our example:

«HOW to call the web service to find a player»

Web Service Types: Summary

Page � 13

Definitions:

SQLi = SQL Injection

XSS = Cross Site Scripting

XXE = XML eXternal Entity

What do SQLi, XSS and XXE have in common?

• They are all «Injection» attacks

• Injection attacks = Number 1 Web Risk

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Usual culprits:

• String concatenations

• XML parsers

• Home rolled parsers

SQLi, XSS and XXE?

Page � 14

SQL Injection (SQLi) 101:

• User input can change the SQL query

• «input» is «injected» into the «SQL query»

• Usually due to string concatenations:

«SELECT ... WHERE id = input»

SQL Injection on Web Services:

• Usually the same as SQLi on Web Applications.

• Difference = Attack encoded according to «the envelope»

Why?

Break XML/JSON = Web Service cannot see/process the message

REMEMBER: Encoding is easy ☺

https://hackvertor.co.uk/public

SQLi on Web Services

Page � 15

SQLi: XML-RPC Web Service

Page � 16


Host: example.com

...


<methodCall><methodName>FindPlayer</methodName><params>

<param>

<value>

<string>Simon</string></value>

</param>

</params>

</methodCall>

SQLi: Legit XML-RPC Request

Page � 17


Host: example.com

...


<methodCall><methodName>FindPlayer</methodName><params>

<param>

<value>

<string>

zz' union all ...

</string>

</value>

</param>

</params>

</methodCall>

SQLi: XML-RPC SQLi Attack

Page � 18

Query:

NOTE: String concatenation!

SELECT * FROM players WHERE name LIKE '%{$player}%'

Intended usage:

• Player: Simon

• XML-RPC call snippet:

<string>Simon</string>

• Query becomes:

SELECT * FROM players WHERE name LIKE '%Simon%'

SQLi attack:• Player: zz' union all ...

• XML-RPC call snippet:

NOTE: XML-encoded single quote (') = '

<string>zz' union all ... </string>

• Query becomes:

SELECT * FROM players WHERE name LIKE '%zz' union all ... %'

SQLi: XML-RPC Explanation

Page � 19

Usual SQLi Impact:

• The attacker can run arbitrary SQL code

• Dumping the whole database, Sometimes code execution, etc.

Root cause: Code + Data = Code

• Code: SELECT * FROM players WHERE name LIKE '%%'

• + Data (i.e. user input): $player

• = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘

• «Data» is executed as «Code» (All Injection attacks work like this)

How to fix: Separate «code» from «data» as aggressively as possible

• BEST: Bind variables aka «Parameterized queries» � Always do this if you can!

• 2nd BEST: Escaping � Sometimes the only option (think legacy), be careful

• 3rd BEST: Strict validation � Only do this in addition to binding/escaping

• More info:

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

SQLi Mitigation: Basics

Page � 20

REMEMBER: Bind variables > Escaping

IF you have to use escaping make sure that:

1) you use the DBMS function for that:

i.e. Escape MySQL using a MySQL-specific function, etc.

AND

2) You put quotes around the value you are escaping!

Our example:

Could be fixed, using escaping, like:

SQLi Mitigation: On Escaping

Page � 21

XSS Intro

Three major types of XSS:

• (Server-Side) Reflected:

The XSS payload is displayed back from the request

• (Server-Side) Stored:

The XSS payload is

1) stored –i.e. in a DB-

2) Displayed back

• (JavaScript-Side) DOM-based:

The XSS payload is evaluated as JavaScript, from JavaScript code

Cross Site Scripting (XSS) 101:

• User input can change the HTML page OR JavaScript

• «input» is «injected» into the «Page»

• Run JavaScript under «victim domain» = session hijacking, etc.

• Usually due to string concatenations:

«<html><body>....input...</body></html>»

Page � 22

XSS against RESTful web services can sometimes be like XSS on web apps:

XSS on RESTful Web Services

Page � 23

XSS on RESTful Web ServicesProof of concept:

XSS=$(php -r "echo urlencode(\"<svg onload=alert(1)>\");")

curl -i "http://localhost/findplayer/$XSS"

OR directly:

http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E

Returns:

HTTP/1.1 200 OK

..

Content-Type: text/html

Your search: <svg onload=alert(1)>Matches: ...

NOTE:

Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺

Page � 24

But, more commonly, XSS on Web Services happens in two stages:

1) The web service saves the data � NOT the problem

2) The data is displayed (insecurely) by a web app � THE problem

XSS on Web Services:

• Usually the same as Persistent XSS on Web Applications.

• Difference = Attack encoded according to «the envelope»

Why?

Break XML/JSON = Web Service cannot see/process the message

REMEMBER: Encoding is easy ☺

https://hackvertor.co.uk/public

XSS on most Web Services

Page � 25


Host: example.com

...

{


"params": [ "Simon" ], "id": 1

}

JSON-RPC Request Example

Page � 26

NOTE: Encode according to «the envelope», JSON-RPC = JSON encode

XSS=$(php -r "echo json_encode(\"<svg onload=alert(1)>\");");


Host: example.com

...

{


"params": [ "<svg onload=alert(1)>" ],

"id": 1

}

JSON-RPC XSS Attack

Page � 27

XSS MitigationXSS Mitigation 101:

• Solution != Validation (i.e. Business requires «risky» characters, etc.)

• Solution = Output Encoding in the right context

• ALWAYS use validation in addition to output encoding.

• As with all Injection attacks, the problem is when:

Code + Input = Code

• Usual culprit aka “right place to fix”

String concatenations on code that renders/builds HTML/JavaScript

NOTE: Usually on the web app, rarely on the web service.

• More info (recommended reading):

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention

_Cheat_Sheet

Page � 28

XSS Mitigation ExampleXSS Mitigation 101 = Output Encoding in the right context, using the

relevant platform function for such purpose. i.e. Htmlentities in PHP.

Vulnerable example:

Fixed example (in this context!):

Safe Output:

Your search: <svg onload=alert(1)> Matches: ...

Unsafe Output:

Your search: <svg onload=alert(1)> Matches: ...

Page � 29

XXE / XEE IntroXML Entity (XXE / XEE) attacks 101:

• User input can change the parsed XML, «the XML the app will see»

• «input» is «injected» into the «parsed XML»

• Usually due to a default XML parser feature:

XML (External / Inline) Entities

Two major types of atacks:

• XXE = Path Traversal = Read system files, source code, etc.

• XEE = Denial of Service = Crash the web server

Interesting attack variants:

• Internal network HTTP requests

• PHP / Java wrappers

• Remote Code Execution (RCE) in some edge cases

• Etc.

Page � 30

XXE / XEE = Subtle issuesXXE / XEE = Attacks against the XML parser, the code might «look safe»

Scenario:

An NGO builds a «crime report» web service, this allows people to report

government abuse crimes anonymously.

Code:

Page � 31

XEE attack XML FileXEE = XML Entity Expansion = Denial of Service (DoS) attack

Amplified XEE: «The billion laughs attack» / «recursive entity expansion»

XML File:

It will take … 687 GB of RAM to parse this document ..

Recommended watching: http://vimeo.com/73255656

Page � 32

Intended XML FileXML File:

Web Service Code:

echo "Uploading Crime Report: {$xml->summary}..";

Web Service Output:

Uploading Crime Report: Joey is guilty..

Page � 33

XXE attack XML FileXXE = External Entity attack = Path Traversal = Read files, etc.

XML File:

Web Service Code:

echo "Uploading Crime Report: {$xml->summary}..";

Web Service Output: � «summary» = «/etc/passwd» via XML parser!

Uploading Crime Report: root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….

Page � 34

XXE / XEE: MitigationXXE and XEE attacks mitigation 101:

• Disable external entities

• Disable DOCTYPE declarations

• Prefer SAX over DOM parsers

• Validate XML files against schemas

• More info (recommended reading, especially links at the end):

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin

g

Page � 35

XXE / XEE: Mitigation exampleVulnerable:

$xml = simplexml_load_string($request->getBody());

Fixed:

NOTE: Do ALL this before parsing//Fix 1) Disable External Entities: Fixes XXE and *some* XEE

libxml_disable_entity_loader(true);

//Fix 2) Limit overall XML size: IMPORTANT before Fix 3)

if (strlen($xml_string) > (1024 * 5))

die('Sorry, we do not support XML files greater than 5

KBs');

//Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE

If (preg_match("/<!DOCTYPE/i", preg_replace("/\s/", '',

$xml_string)))

die('Unsupported XML file, sorry');

//NOW we can parse the XML safely ☺

$xml = simplexml_load_string($xml_string);

Page � 36

XXE / XEE Demo

XXE / XEE

DEMOWatch it from minute 25 here:

https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/

(NOTE: Wait for the video to fully load first)

Page � 37

Thank you!

Armando Romeo

[email protected]

Abraham Aranguren

[email protected]

Cool

Technology

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services