Lesser Known Injections XML Injections AMol NAik.
-
Upload
stephen-obrien -
Category
Documents
-
view
240 -
download
0
Transcript of Lesser Known Injections XML Injections AMol NAik.
![Page 1: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/1.jpg)
Lesser Known Injections Lesser Known Injections XML InjectionsXML Injections
AMol NAikAMol NAik
![Page 2: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/2.jpg)
About meAbout me
Web Application PentesterCore member of Garage4HackersBounty Hunter in pastCurrently fuzzing browsers for Fun & Profit
![Page 3: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/3.jpg)
Garage4HackersGarage4Hackers
Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+ browser bugs in Chrome, IE, FF & SafariASLR bypass method presented at CanSecWest was already shared on G4H forum5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinarsFollow us on Twitter @garage4hackers
![Page 4: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/4.jpg)
AgendaAgenda
XML BasicXML InjectionXXE AttackXPath BasicsXPath Injections
![Page 5: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/5.jpg)
XXE is a the new SQL InjectionXXE is a the new SQL Injection- Someone on Twitter - Someone on Twitter
![Page 6: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/6.jpg)
XML Injection in Real-WorldXML Injection in Real-World
Yandex pwned for $5000 with XXE by @d0znppOpenID XXE by Reginaldo SilvaMultiple XXE bugs by @Securatary teamXXE in Google Toolbar by Detectify team - $10k
![Page 7: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/7.jpg)
XML BasicsXML Basics
![Page 8: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/8.jpg)
XML BasicsXML Basics
eXtensible Markup LanguageFlexible text-based formatPresents structured infoUsed for Data Exchange/Storage
![Page 9: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/9.jpg)
XML ComponentsXML Components
![Page 10: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/10.jpg)
XML – CDATA SectionXML – CDATA Section
Tells parser not to use markup for characters in this sectionExamples:
![Page 11: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/11.jpg)
XML InjectionsXML Injections
![Page 12: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/12.jpg)
XML InjectionsXML Injections
Injection Points
![Page 13: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/13.jpg)
XML Injection – Node AttributeXML Injection – Node Attribute
![Page 14: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/14.jpg)
XML Injection – Node AttributeXML Injection – Node Attribute
![Page 15: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/15.jpg)
XML Injection – Node ValueXML Injection – Node Value
![Page 16: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/16.jpg)
XML Injection – Node ValueXML Injection – Node Value
![Page 17: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/17.jpg)
XML Injection – CDATA SectionXML Injection – CDATA Section
![Page 18: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/18.jpg)
XML Injection – CDATA SectionXML Injection – CDATA Section
![Page 19: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/19.jpg)
XXE AttackXXE Attack
![Page 20: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/20.jpg)
XML EntityXML Entity
VariableDefine Can be Internal/External
![Page 21: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/21.jpg)
XML EntityXML Entity
![Page 22: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/22.jpg)
XXE AttackXXE Attack
![Page 23: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/23.jpg)
XPath BasicsXPath Basics
Language to select XML NodesFormats XML data as tree-structured valuesSimilar as SQL (in some sense)
![Page 24: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/24.jpg)
XPath SyntaxXPath Syntax
Uses path expressions to select nodes or node-sets in an xml document
Expression Description
nodename Selects all child nodes of the named node
/ Selects from root node
// Selects nodes from the current node that match the selection no matter where they are
. Selects current node
.. Selects parent of the current node
![Page 25: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/25.jpg)
XPath PredicatesXPath Predicates
Used to find a specific node or a node that contain specific value.Always embedded in square brackets
![Page 26: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/26.jpg)
XPath PredicatesXPath Predicates
Expression Result
/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element
//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’
![Page 27: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/27.jpg)
XPath Location PathXPath Location Path
Syntax: axisname::nodetest[predicate]
![Page 28: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/28.jpg)
XPath Location PathXPath Location Path
Example Result
child::Employee Selects all ‘Employee’ node that are children of the current node
attribute::id Selects the id attribute of the current node
child::* Selects all children of the current node
attribute::* Selects all attributes of the current node
child::text() Selects all text child nodes of the current node
child::node() Selects all child nodes of the current node
descendant::Employees Selects all ‘Employees’ descendants of the current node
![Page 29: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/29.jpg)
XPath InjectionXPath Injection
XPath Query:/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
![Page 30: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/30.jpg)
XPath InjectionXPath Injection
No UserName & Password known:
![Page 31: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/31.jpg)
XPath InjectionXPath Injection
UserName known:/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
![Page 32: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/32.jpg)
XPath InjectionXPath Injection
No UserName & Password known & Password is not vulnerable:
![Page 33: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/33.jpg)
ConclusionConclusion
XML Injections are ignoredMany sites having these issues
![Page 34: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/34.jpg)
That's It !!That's It !!
AMol NAikAMol NAik@amolnaik4@amolnaik4
mailto:mailto: [email protected]@garage4hackers.com
![Page 35: Lesser Known Injections XML Injections AMol NAik.](https://reader036.fdocuments.net/reader036/viewer/2022081420/5697bfd01a28abf838caa7fc/html5/thumbnails/35.jpg)
ReferencesReferences
XPath InjectionHacking XPath 2.0Blind XPath Injection