Devouring Security XML Attack surface and Defences
26
Devouring Security Marudhamaran Gunasekaran XML Attack surface and Defences
description
Agenda: · XML today · XML/XPath injection - Demo · Compiled XPath queries · DTD use and abuse - document validations - entity expansions - denial of service - Demo - arbitrary uri access (egress) - parameters - file enumeration and theft - Demo - CSRF on internal systems - Demo? · Framework defaults limits/restrictions · Mitigations · Lessons learned · Verifying your XML systems for potential threats Note: 1. All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible. 2. It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet. 3. The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.
Transcript of Devouring Security XML Attack surface and Defences
Devouring Security
Marudhamaran Gunasekaran
XML Attack surface and Defences
Overreacting to Risk
I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible.
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
Disclaimer
Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
Xml today
• Network protocols – SOAP, XMLRPC, REST• Data exchange – modern databases• Configuration files – java beans, .net config ..• Document/image formats – SVG, RSS, Atom
Xpath Injection Anatomy
Blind Xpath Injection exists as well
https://www.owasp.org/index.php/Blind_XPath_Injection http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf
More:
Mitigations
•Rejecting requests based on Xpath < > / ' = “
•Variables with Xslttransformation
•Linq to Xml without Xpath queries (.Net)
•Xquery implementations (Saxon parser for Java & .Net)
Java Xpath injection mitigation with XPathVariableResolver (Java)
Rejecting requests based on Xpath < > / ' = “
Variables with Xslttransformation
Linq to Xml without Xpath queries (.Net)
Xquery implementations (Saxon parser for Java & .Net)
Java Xpath injection mitigation with XPathVariableResolver (Java)
Xpath with Variables
Java Xpath injection mitigation with IXsltContextVariable (.Net)
Xpath with Variables
Java Xpath injection mitigation with IXsltContextVariable (.Net)
Xpath with Variables
Xpath injection mitigation with Input filtering
Xpath injection mitigation with Linq to Xml (.Net)
Linq to Xml: Xpath injection vulnerable
Linq to Xml: Xpath injection proof
DTDs
• Document Type Definition
Document Type Definition
Entity Declarations
http://www.xmlmaster.org/en/article/d01/c03/
Billion Laughs (aka Xml Bomb)
http://en.wikipedia.org/wiki/Billion_laughs
Billion Laughs (Demo)
External Entity Expansions
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
<!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">
public class DoS : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; byte[] data = new byte[1000000]; for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; } while (true) { context.Response.OutputStream.Write(data, 0, data.Length); context.Response.Flush(); } }
public bool IsReusable { get { return false; } } }
External Entity expansion mitigation (.Net)
XmlDocument xmlDoc = new XmlDocument();
XmlTextReader reader = new XmlTextReader(new MemoryStream(Encoding.UTF8.GetBytes(xmlInput))); reader.ProhibitDtd = true;
Mitigated:
Potentially Vulnerable:
XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(xmlInput);
External Entity expansion mitigation (JAXP)
Directory browsing and file access (JAXB)
import javax.xml.bind.*;import javax.xml.stream.*;import javax.xml.transform.stream.StreamSource; public class Demo { public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(Customer.class); XMLInputFactory xif = XMLInputFactory.newFactory(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml")); Unmarshaller unmarshaller = jc.createUnmarshaller(); Customer customer = (Customer) unmarshaller.unmarshal(xsr); Marshaller marshaller = jc.createMarshaller(); marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); marshaller.marshal(customer, System.out); } }
More: http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb
DOS attack and safe/vulnerable .Net versions
.Net framework 2.0.50727.5477 or higher
.Net framework 4.0.30319.34011 or higher
.Net framework 2.0.50727.5420 or lower
.Net framework 4.0.30319.1 or lower
.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?
.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?
Lessons learned
1. Keeping your operating systems and frameworks up to date
2. Don’t let your server headers reveal too much information
3. Be vigilant about the framework’s default settings
References / Further reading
• http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925
• http://secpod.org/blog/?p=1337
• http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
• https://www.owasp.org/index.php/XPATH_Injection_Java
• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250
• http://www.xmlmaster.org/en/article/d01/c03/
