Embed Size (px)
Citation preview
Lesser Known Injections Lesser Known Injections XML InjectionsXML Injections
AMol NAikAMol NAik
About meAbout me
Web Application PentesterCore member of Garage4HackersBounty Hunter in pastCurrently fuzzing browsers for Fun & Profit
Garage4HackersGarage4Hackers
Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+ browser bugs in Chrome, IE, FF & SafariASLR bypass method presented at CanSecWest was already shared on G4H forum5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinarsFollow us on Twitter @garage4hackers
AgendaAgenda
XML BasicXML InjectionXXE AttackXPath BasicsXPath Injections
XXE is a the new SQL InjectionXXE is a the new SQL Injection- Someone on Twitter - Someone on Twitter
XML Injection in Real-WorldXML Injection in Real-World
Yandex pwned for $5000 with XXE by @d0znppOpenID XXE by Reginaldo SilvaMultiple XXE bugs by @Securatary teamXXE in Google Toolbar by Detectify team - $10k
XML BasicsXML Basics
XML BasicsXML Basics
eXtensible Markup LanguageFlexible text-based formatPresents structured infoUsed for Data Exchange/Storage
XML ComponentsXML Components
XML – CDATA SectionXML – CDATA Section
Tells parser not to use markup for characters in this sectionExamples:
XML InjectionsXML Injections
XML InjectionsXML Injections
Injection Points
XML Injection – Node AttributeXML Injection – Node Attribute
XML Injection – Node AttributeXML Injection – Node Attribute
XML Injection – Node ValueXML Injection – Node Value
XML Injection – Node ValueXML Injection – Node Value
XML Injection – CDATA SectionXML Injection – CDATA Section
XML Injection – CDATA SectionXML Injection – CDATA Section
XXE AttackXXE Attack
XML EntityXML Entity
VariableDefine Can be Internal/External
XML EntityXML Entity
XXE AttackXXE Attack
XPath BasicsXPath Basics
Language to select XML NodesFormats XML data as tree-structured valuesSimilar as SQL (in some sense)
XPath SyntaxXPath Syntax
Uses path expressions to select nodes or node-sets in an xml document
Expression Description
nodename Selects all child nodes of the named node
/ Selects from root node
// Selects nodes from the current node that match the selection no matter where they are
. Selects current node
.. Selects parent of the current node
XPath PredicatesXPath Predicates
Used to find a specific node or a node that contain specific value.Always embedded in square brackets
XPath PredicatesXPath Predicates
Expression Result
/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element
//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’
XPath Location PathXPath Location Path
Syntax: axisname::nodetest[predicate]
XPath Location PathXPath Location Path
Example Result
child::Employee Selects all ‘Employee’ node that are children of the current node
attribute::id Selects the id attribute of the current node
child::* Selects all children of the current node
attribute::* Selects all attributes of the current node
child::text() Selects all text child nodes of the current node
child::node() Selects all child nodes of the current node
descendant::Employees Selects all ‘Employees’ descendants of the current node
XPath InjectionXPath Injection
XPath Query:/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
XPath InjectionXPath Injection
No UserName & Password known:
XPath InjectionXPath Injection
UserName known:/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
XPath InjectionXPath Injection
No UserName & Password known & Password is not vulnerable:
ConclusionConclusion
XML Injections are ignoredMany sites having these issues
That's It !!That's It !!
AMol NAikAMol NAik@amolnaik4@amolnaik4
mailto:mailto: [email protected]@garage4hackers.com
ReferencesReferences
XPath InjectionHacking XPath 2.0Blind XPath Injection
